23542300x800000000000000031864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:40.434{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C568ABAE1AE073D61FFA5BF0DA213C5,SHA256=64936E302D44B1AEA0F0CD0344AB7A7A8375050F9FAE546857635E162354C041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.076{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DFF6AE6B47181C970A8A7427C87F37,SHA256=CAACA3237D41CC5FC9E317E3190C8CCBC6C30929213AB48303038FFDA92EC0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:41.450{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88616F34A18367E1DF3E9C245E28E948,SHA256=54F232B4E41C0D04A63B075CCCA42FAD8CF5479D393C0383A3AE6125E462C52D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:39.627{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64273-false10.0.1.12-8000- 23542300x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:41.091{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767324DD23807C9380CD6D4E7E6E3C6B,SHA256=3AB373C009E93F035672CEEAAB43E770693A2DF85845D7F7B6B1B3877443D317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:42.466{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169EC5283DCAD06B38557FEBA9726928,SHA256=67B994549192348BF2E135C7164E3979718D2A11FB853C724B1C465C6CC5AA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64274-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64274-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:42.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A98EE9805A63709C79D98C8CD07C2F4,SHA256=0702DA5CD17A6C3E3EA2A8C8EF361933B764325F040F5E41753505268A11D159,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:40.015{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:43.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057FE951608A36C299590ED14F201963,SHA256=9C537938BAF6DA41DB8D7CB2F2F4EE77D178A390FC7D4EBB64AB8E381973CDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:43.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29872DE0616B9682CFC8AFBF20E780A1,SHA256=FCCBF60B48B44C37386E693EA5482D3165957E08E4BCB90B1F830705C8DD7CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:44.497{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8263FE741F1FBBECB4D0F839EE8F5DAF,SHA256=1CA4284305B4D30C744E07F255ADA7488C6E6CEB317D437B487C9FEE00689B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:44.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD94F1B7A8BF1375EB512B02F9E216A,SHA256=1F68FEFBD39D189384C632942C635881B96242DE68A76E07ACFD15AC2FABBEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:45.513{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1C0EB2A3ABE6056039539DE4D7EC8,SHA256=F53D0FE963EA1292CC8ECE1ABE42987B967D61B8D7129CE119C0AAB4B7EEE094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:45.204{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C86E6EA3542C3F646C1B67EA85D37E,SHA256=B870026B9B3D35DC6C686A285B5C485E2EEA8AA233523DBC67D64BDDFD96EC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:46.528{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78B0F3685B8928BD24F09F1FFBEFF53,SHA256=74796DA35F574A320E6E22D099F02F3989A0E377ECF9B76368B463132AC65FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.289{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC553D6A6BB68176CBBDEB72A7CB980,SHA256=87EB99F3F0B9F9936DFED2F36D996C1F7C6FBB0235046BA550DC69E8A9B73AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:47.544{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E7AEB00D9572AB2696B089CEDF36AE,SHA256=685F8F6DDF90FF862594D575B7955AC38B1A94F3E8E9AA18FC604B23EE230159,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:41:47.372{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:47.319{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE53DBFF431A20E581F9491FFBC0E8A9,SHA256=7E919CB38903C7B8CE09412E2C9E68411503C76EA00807E7DCE1478823C22965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:48.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68562BA8B2E8CD99D63BD1745FA84B4,SHA256=0CE0C156ECC9955987C0563E676F0AACD370A938E0E8A1F969F7751C0D89EB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.838{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64278-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.838{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64278-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.822{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64277-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.822{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64277-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.808{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64276-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:46.808{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64276-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.403{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B02E97255CFE73341C3C417E002EBDC,SHA256=A9E8813AE8446FE1276DEEAD1A1E6E0EED3AEA71723D341364525E72D92B2F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.403{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFCBD8B48F350D5450148ADB58CF475,SHA256=EE1F867FAA3F32AF1EE8981CAE765C39193C1BCB83F3D09B4FD1B3CC3AD90A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:48.329{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5654CF19CE5D74311A0F544DCCAB1BDD,SHA256=01A2E997CF817C5856AF43C6783CC46C5C48C13B78B2133409EE26AD61DD4517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:45.952{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:45.555{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64275-false10.0.1.12-8000- 23542300x800000000000000031875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:49.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D680218D77F8E0E21CF7294979B32E9,SHA256=4CD590A8C8A8DFB79FB21D60A34010123DC9B39EBA2FE872A56F1FED2DFA361C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:49.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F3F385CF9A3011E3001435FCCD7CB2,SHA256=FC3902B4C4378B172F01CD06505303576A1C3F904677EC338E7CF52E46574481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:50.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1626C738CDB0E59C450DF61BD63D3F1F,SHA256=B95DBE0734101C8114B62A70D2B8CA2397AC4618A4FAA4A6C4D67540F9F1A7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.386{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336D15231DB780EA2463CF25DBC1473C,SHA256=A3873E75F375FD84AC013DF543743DF6DF328E7238109372B6322C5E28E377DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:50.002{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000031877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:51.577{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932ECADCD3CE9B97DECA75B9C20D2E9,SHA256=AAED798DA1596F6C7A3C70B0B4F9C4B5AF43FBC0C914598FC13BD0426CBB7520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:51.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A94FE683D13E794175D0C6C4E0A8EF4,SHA256=0C08202F320D811E20FB16242C067D626039D89D783034A8356E8BFDCC9238CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:52.593{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613A4F78F8B4C5585BF29EB5E2E95CBE,SHA256=F73162A7A3369E1D04CC0741FE8BDA60E80118B931CD863AEEDC23DB4FAF7B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.450{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB952D53518A61F93DBD46C566A9F0D,SHA256=00A1D5E623FADB6BEE76D4BA5F29DDB5A99C832310D73830565882F656E46594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:53.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFAA7670D13F5F06F799923F66E1A20,SHA256=E4068B4FC6C56EF64EA43F921FFE641406D5111693C34B550CA067A810F453E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEB46C227DC2951800351B17291E7D4,SHA256=F71727C6D7EDE77CF943F8492C15C6989C9FA28348AEFF6E0CB08F5D7C97732D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B02E97255CFE73341C3C417E002EBDC,SHA256=A9E8813AE8446FE1276DEEAD1A1E6E0EED3AEA71723D341364525E72D92B2F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.468{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B543581CF798D6907AF223A504A4B4B,SHA256=4B97A92623A9B36BDE6F652532A5C85181D84E61508A9F517235407BD494D25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:51.970{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:53.000{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000031881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:54.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F8B762EC50395A96331DBA20E6E97A,SHA256=18847C3F6A7DFC78AC390AE25AA8D0743D8C5CEB63F1DE37E04BC932AF5C4668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:54.484{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACB01172D8F60E0494CAABC9C90CD3B,SHA256=13F24C693526D166497A788162D4224CF1F237C440616A09F8F96E108FB6F570,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.441{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64285-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.441{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64285-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.440{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64284-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.440{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64284-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.351{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64283-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.351{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64283-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64282-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64282-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.339{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64281-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.338{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64281-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.337{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64280-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.337{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64280-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:51.567{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64279-false10.0.1.12-8000- 23542300x800000000000000031882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:55.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1419D7FA4224C6E5F05516F1EAAB7674,SHA256=2BDB00F47E9EA05770B5B948C487471C2491042A2ADD7CC41330383C5050B156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.899{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.900{82A15F94-57F3-6112-FB07-00000000E501}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.498{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D829DD29F8FEE5083CDD6E249F836C2A,SHA256=EFC72F8C5FDBA801E844C66BBA23350FA61C770D0E542FFDCD89ED9651ED5FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.383{82A15F94-57F3-6112-FA07-00000000E501}2968756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.230{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:55.231{82A15F94-57F3-6112-FA07-00000000E501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.444{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64286-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:52.444{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64286-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000031883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:56.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE35AB96AF2F30731A9F1E947B3A6A88,SHA256=ED976572F90F3F5596B97135CCF3E23D5BF5FEAE0574D04AC4B101D28F62A208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.583{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.584{82A15F94-57F4-6112-FC07-00000000E501}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.514{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114EF722612260BEE0D6AD169B199811,SHA256=8344BD59F7DAFEBED47D56B3A12DC8DF027354EC184F3E6942F4D33EF1C6ACE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:56.248{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEB46C227DC2951800351B17291E7D4,SHA256=F71727C6D7EDE77CF943F8492C15C6989C9FA28348AEFF6E0CB08F5D7C97732D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:57.639{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648AEADB0590C8AACBAC363621895040,SHA256=4C938CD96609E41D2C7C8E9D0C3A6C37185531E8EE27F552B8510C531DBB709A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.948{82A15F94-57F5-6112-FE07-00000000E501}48205572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.782{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.784{82A15F94-57F5-6112-FE07-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.598{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E366888337675B6E1CEAEA8B513ACC56,SHA256=C1356DD3D5CB5590DA4A69B2D481C0E31C81C7776BF96F80B3C7B3672CF0C10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.551{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80A65171532EFE1CED9E6CB2368BB11,SHA256=6A92FC5E50C12AD0CBDE8B675873F2EBF0AF6FCE019B6426F5F660B2E4D69DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.429{82A15F94-57F5-6112-FD07-00000000E501}65201044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.282{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.283{82A15F94-57F5-6112-FD07-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.797{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D79D1F19F729AFDF3B56724493595F77,SHA256=2BC99F2EED5BD631BFD56A08ACB642C55CE9E879BA9E1AACB08E3ED23003B588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.613{82A15F94-57F6-6112-FF07-00000000E501}1084104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.566{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8015722E8228E21BEE5E997A588FAC17,SHA256=82A1F6F63E1F197631967F160FADCF8BEB1C5B0F7792B39EA524D1482A02AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:58.655{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA70D6C4AF99D4A0DE148A9372E547,SHA256=3D43B37E1B581E70C1F30064E7C7C500A5E5D6DF816D989B5CAE84073210302D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.466{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:58.467{82A15F94-57F6-6112-FF07-00000000E501}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:57.954{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:41:59.671{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961C9ACF2A17F16302050FDD79D4020E,SHA256=B006B089060292314D2B1B4E683E9D5EE7CBD75A289F2E0F36EB2950BC56DCBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC6FC35C11D3EF8ABC864FCCECD3EC4,SHA256=E0D3699DEF824F9488C123C42F0696BE77B50C09BA7EC089278E440A394CA3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.148{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.146{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.145{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:59.144{82A15F94-57F7-6112-0008-00000000E501}440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:00.686{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75FBDCA2386F2C2F3A63DE4B735A0F8,SHA256=EA9E1C94240B3DF1C4A4DE65EF66A3F1E121891ABA89AD51B8C3BD6DD82B2C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:00.645{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA6EAAC850B41432A9DA62190F9016F,SHA256=6A9BBD84C947AD8E3C50D8090BD9BFEEE5939E127DCE2385BA98D29C280206D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:41:57.501{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64287-false10.0.1.12-8000- 23542300x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:00.149{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BB040BFB6F98159B160B5F1CD61FA3,SHA256=7B2F2EF51026C4AB0FDD8B897CEE8CDCF04C47654A4711049497C5B48908D9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:01.702{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8173DDFC6A75752C685DF4E1B89191,SHA256=E53515E2DB29F8DEB5A09C3A5B1D01E03488E32C345E61E42D5C006364BDB8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:01.664{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD523A1C25D7DE503E0EDF4DDE09865F,SHA256=B402E9C86E3571E1B50D7C2E3786840DF7C4786177129D2B32F5806EBD1862B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.725{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE22CCD6B6E9AD68EBE691E903B46C2B,SHA256=B00BC7B62D8024F01F263B2B3EE3EA511C7D53A67F8D7E5D58D122E39B7F14B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:02.718{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36904341D151F46AB1BAE7FA124CCB0E,SHA256=BBDB7679AD2CB39201A6D2CC23F7F6697287B377132A44974AB24BF5F607A254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.026{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=565167A061EAB3FE53C2035D64AFAC61,SHA256=05FE14DEC0CB0B76F4D3225EEA5AF186151D59A13E1B0EF1EBC118EC5DBB8C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.733{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.733{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F46DBFDD784DBF79337042A8C84A3D,SHA256=1798E4100DBE6C4BC4446CA1ECD5095236FC57D22A9D18F90AA25866EB0486F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:03.743{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CF356715D5743FF9DA3E5134737968,SHA256=1E70E06C72F3A76E2EC0CA2A9C0901E406AAD9B9347B72482424462EAF7DD97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:04.764{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5B08DAFD85B9D7AF7B33D3CA41CBDF,SHA256=1175892B1B0F456826FA870A7FD54391C17BD53FA3FC43C1C9E113862A9AA923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:04.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E142267AFBF44535A6F520CD0FF0070B,SHA256=F3528829F53A5478606C52F9A523DDE9F27762CD3B27CE4014E778C5D0BD82EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:04.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3F336B14D2F80C73D512C7A899980,SHA256=659ED04732CC81E6DEB7B875C0D8FFA332D248955BF45761D94CE4A03787B3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:05.764{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716CBF8504D72738B04F378CD108B472,SHA256=FE1F3DDB6EDA718C216080454857A12A3C4B8E256203B1A8D95FBD41B77482C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:05.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0185DD111A9543C5CC0BA438B3D14418,SHA256=342E2930827D65A2973C61C9478036DD84D1B639A7374FE30A08D03F66D17096,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.938{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:03.501{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:02.698{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64288-false10.0.1.12-8000- 23542300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:06.778{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345FEFF301A3EEF4EDCD44744BC4F924,SHA256=E08C526E8460DABF3D7DDB31E2A88D0BB8048B9156FE2631894868DE701A99DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:06.780{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB075146B732DF61989BC311DFBC3CAC,SHA256=EA8AC3A9A4B9B844AF91266C1CB4FDAC9829D560487CD960BC97823DE4E7E7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:07.808{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66007DA1414B879AA55F78B953CEE4FE,SHA256=BF19AAFC277AF6E0E8E561181076E86E21060F1BB9B17C443B495A92CF1F7F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:07.780{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BAC5B96D7D06FF4EF7F6569EADDA48,SHA256=57C02F26CCD8716F92540A6E1540BA85321FBE8015F5EC33FFD39CFD74325F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:08.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBDC0011C9C9D4311087BA58B89D59C,SHA256=203F63006192E99BF598F422BDA8908C8ECCCB3FDB2EDFD3B2B49FFBEFE8972C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:08.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCABD541E9D49B6797FF6DE17A8B4E8,SHA256=0627803A8CC91C63E1D8ABC41E9E1ECD298E54241C97E29B2809C7C875EFC71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:09.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0C2B5465930B47A9C2D0E29808AEED,SHA256=7CDDFCA970769F783DAE1F0161648151010000E3323F839386AB8CCC4CCB58E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:09.860{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B055F085395CC85E0423112CBB648,SHA256=8489BC4FFBE1524EE1C7D480BFB42E9D0762DA9B83CBAEBAF191C2D7B6F21624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:10.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D257D8419966448B60E40E251268200A,SHA256=3359302A96AE264961360BDFECBC5D086374D35F8702EF4BF61FF83D79348EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:10.890{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F2E3525839268429C351FECF864584,SHA256=28773F4AB608D2877AA608DA434486C99D7E51DC5D8CDF70AEC439DD10A7A367,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:08.674{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64289-false10.0.1.12-8000- 23542300x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:11.921{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3C91B9F309315C7212478A688D79B6,SHA256=676027D9688AFC52D7C6E1EE73568802E1E00569E55FD8441F717D4FD8FD6D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:12.958{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C469CF12F8F4395EA32AB06DDEBDFEF0,SHA256=FE5A161D5BE84D026241A883745CD377765F1BD03E5A6266D632F52CC7CA0108,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:09.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:12.035{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4416994F92CD14EBB0E697ADEC4344,SHA256=B8FF030CDE338024D9BBD751E2F273E129FE6DF6AC7712A9ABA01A2F5A50077B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:13.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F4F099EC1F5BFD4B757DFB5BA921B8,SHA256=27E30AECA9081F7DD3870123C70B29A8065C780C3EF3139D0BB47CBFE7DF4B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.675{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.676{82855F7C-5805-6112-7206-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:13.050{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8563BB58742DB6373FA060F31056F1,SHA256=4AE4B692AAE18F542CE7BAA08CBDFEA3F9839EAEE20B56F474E43AECCB510763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:14.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8452D44807A9836656BEEFF816B2EF,SHA256=7E8FE6ABEB9E041EF60D64152A0D7B46A44B40588F4A1AE5029E613F73A773F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.988{82855F7C-5806-6112-7406-00000000E601}3124960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.832{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.833{82855F7C-5806-6112-7406-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.753{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DCF3CD541F404AD4C79876ECAE39047,SHA256=71581CCBCF33DE5F5A77C8F50409BF79323FC78E63399387DCF0EEA8E8CD0CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509C22B6D4E8FC059C07791B821B0477,SHA256=B5201A3F23A3E2095C81E00CA72F98F11AF861C9D3357B78CC20136F95C00AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CACAD8A3A9C6A152FA11D8830866237,SHA256=9C2A2037FB277260428A5A9CC325B6B1F008EC254F04316E624D09142CA09ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.175{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.177{82855F7C-5806-6112-7306-00000000E601}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.066{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F699A3C8714B753B1235D989BB1ADB8,SHA256=F2A88265844D2E32FF1E001297D15D3D665E4744EF8074B305BD3250C59B387B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:15.991{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11734243F9B8629B69F8F7CE849C877,SHA256=0856AFD2B264436F2EC0EC1A59476E622A203AD84FA22FE75A32F203A7DB799F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:15.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509C22B6D4E8FC059C07791B821B0477,SHA256=B5201A3F23A3E2095C81E00CA72F98F11AF861C9D3357B78CC20136F95C00AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:15.191{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F865168E099C5138F30364D349C34EA7,SHA256=3CF593392488838EAF31A179FAC7B947E8DCDAF8DC8811173CEDB199455BCA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.863{82855F7C-5808-6112-7606-00000000E601}8842192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.691{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.692{82855F7C-5808-6112-7606-00000000E601}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:14.959{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.207{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBE2A016344FF55682A94490BE50287,SHA256=FC263DFA34B27B3E1C9F15460C1F047B9A7B5ED8CF75F740E6D362C5AF338716,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.160{82855F7C-5808-6112-7506-00000000E601}20082588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.019{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:16.020{82855F7C-5808-6112-7506-00000000E601}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.535{82855F7C-5809-6112-7706-00000000E601}2460800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.363{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.364{82855F7C-5809-6112-7706-00000000E601}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.253{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A3235940C7BC53B37E783506C64DE3,SHA256=A40ECA2451B37880D6398C12560DF4ACECC062FC733BE30F8B5DCE618445C813,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:14.673{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64290-false10.0.1.12-8000- 23542300x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:17.005{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA17E40E038EF074609D74CF842D2732,SHA256=A1B435E697A169CE9F343DBBB26BB8E584DDADA417E8BF2A409FEB209484D230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:17.035{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5043577B7238D21AFA8BB208AE2BEC6,SHA256=8F38B1E68F44C114ACE8CCBA298050ADDDD621BFC6C0B3DF0B06F99C1EF5DE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.613{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F09944884806946FE25785F374F20F1,SHA256=ECD444526A89061FDF9E52B20732D8D5A9950116363B8581B423AAC3683FA02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.613{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB10A5BA7340BE21206D0EDCBF22B81E,SHA256=8A1C627207A8199EFCF2471CCFA7075CD8F58DEB048CF909C6F7E935B872909D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.542{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:42:18.489{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.55.10684561C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:42:18.489{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.55.10684561C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:18.020{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC9A65B9B61644B95E829ADF4DB62DA,SHA256=9B865530CBDECBEFEC1415F7675DE08B7227F746C48C9FCD21305CEF56E04235,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000031998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000031997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:18.035{82855F7C-580A-6112-7806-00000000E601}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:19.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F173B9034A73D9DA5735698FD28016E,SHA256=36867198913FBD2F0BDC69723C4181A6C4931F03DC32E6FF6781487C96ABBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:19.021{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D433BDA085ACC1814437C7EF95BA2CF,SHA256=DC617BA7CC6F4429AAA89715F1C5435EC6CAF966B050DD05F3A6D4619515C46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:20.660{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A79C7B305AE55D69B8229202DC9B4B,SHA256=0F18A51F8D40E34836F40A881305DF67B6952D7876640E8855469885F36BFF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:20.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB94C1AD1EC02CE803B33D952845519,SHA256=7620E9403A0A744AAD297BD57BAA78A8C72B00F5F24E2E7109673C8597E92951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:21.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7816BBAF9866EF96D98A7F1992D663B9,SHA256=B97D8B0D9B89D99D57F30549E27B332C87B5BAFD30A273EB574D5AA4F6C2C1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:21.089{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E013A5C81F7E140C9BC1C8506B57341,SHA256=1FAF539AD228EA43DD7E0388EA43AEC2A40D31C346F0F1F8B7D10E764878EBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:22.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9E8D01B77511F3768B0E5A19D31E55,SHA256=B287D25DCB9C2452F8672576CB4C02C19E81FAD84967A328950F380E9CE3A071,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:20.456{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64291-false10.0.1.12-8000- 23542300x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:22.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BB4254ABDCC908B5253D49E727EF12,SHA256=78753C376001C6E557656DA56B2B2520A46158C552C90D9D102DD84513F699D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:20.880{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:23.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CCECEFA74466707B67A548926834D6,SHA256=5D08B09B438B1F3A83EE01CA63B4FA012FD5A47C87CBE3E1BA42985A80EB9B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:23.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70284DAF6AAF423D4968779091A5EE43,SHA256=2CF5D539D93D6BF6D7574878635D626D9CE5D253A9536F0BEA124EFBE77C3AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:24.863{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC881A08027D64C3B8C446DFD4A1B642,SHA256=7D5FC79A0CC0E4D3CFE3C74D734117D886CE5A15E13142BBAD5990F906C88E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:24.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981DA3B81CE11C19C08F8DD8B55CD34E,SHA256=F192394DEA17C30725C0A3E0D247172399750606BBC0E882D33738B831F1EA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:25.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120A0E9788DCB40EE3D1DA4574612CC1,SHA256=DA5DF135F2151559D83B341CDC13AD3774D6C71812350F3D426DD5086D6D968C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:25.137{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780F5107E6F518939415C4EB289538EF,SHA256=30346003EB0E361203406ED7DC84E39E9E231E1E32D2C85CF288DDD35C1EA8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:26.879{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBA090AFAC6692C53C92F02FB2153BB,SHA256=ACCD0891549796DCD7498F69252EDC184E9F121E32E2CBC3A5FD2852FDD7FB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:26.156{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F71339F06D96F2952D79622A447A050,SHA256=28441B0E3C6CBA1C1FFE547BF7761038DB37CFE5629B2F0443B8277DCEF727BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:27.941{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B368C647428D25262AFB0472BAD1FB0D,SHA256=541585C8F8C8D000A57D5279E5700D0572766499486C8B4A63AED9C7D97078F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:25.591{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64292-false10.0.1.12-8000- 23542300x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:27.186{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB6172D031850F127BC9500C0334BF9,SHA256=0FAB85D6F5A2A4A7496C8A6AFD76F4EF56C1B5DE865A1D28F1AC42824D47221D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:28.993{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A0CEEB6E28064BABA6469938E5DAC,SHA256=CD01EC49115055079A78ACD79FED86BE2748BC38FD8B263B02340A23401BC2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:28.201{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DCC709661328EF3A0E0839D1D83D36,SHA256=C2EFC7C27763444142475A988D8381F163383D82E9BAFDF139F5DAB0172EB51C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:26.865{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:29.216{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4690574327DC13CB1B67F5E34E833AF9,SHA256=DF03C1DA7F3DEE4209D9ED6295E6B1F3F875629DD7C2AD86BB9ACE22422CBA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.568{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0588C622938F5B59CCE6B4EBDA772074,SHA256=BF0D1BFB30B2EFE03FFD33786385B3CEEA85F15CD3F4A04230BDB45D54135EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:30.024{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3957EFEDB51CA8704F12497106A6D9A,SHA256=43829141EE10A7760E2C106B934C5CA053FE05AD4CC511B77A546042634CE3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:31.055{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C522FE98DD95CD133ABB9F9330DFC2,SHA256=62AB4E144CBB23BCF1AC7D807701876FD8166EA547EE7FE302A9D4C1E8669B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.252{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4567A2A04C064902622D210205986B,SHA256=CE66122FFA48EC98BB753843DBD9CC996739F04CC62F43365734E5234E7943E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:32.071{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B4E9B73170BE44DD72BD95A1688E6B,SHA256=1CCE8D4057254871E9EC551C688DD05B4A3BD1986247886698B8507D07816532,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:30.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64293-false10.0.1.12-8000- 23542300x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.882{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5189497DC2AE22D48C7D9741BBDF277B,SHA256=12621CED297D00CC51F1091A26B94CF5DFC35D5D972E2C0F4402EDAA15199A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.882{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26F7CA2BD956A050FF16695A1ACEBAF,SHA256=6572CD922A53686D7F35240D997B3E0D341B85124DCCDDBA51D1A9B3466B6255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.267{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3C4208C61566C79CCFBC529B9D3132,SHA256=BAA3C3EAB81D25B803283551846887D79A2A63E2EA31E5FCA7E60E0C7C5FE50C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.287{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64294-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:31.287{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64294-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:33.366{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:33.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8DB44C181BA9FCE54DD4AAA0E6C0C6,SHA256=98469F1F1126C3F4D22776AE82B8DE3662BD3EADFA584FBF6E26E84B02506871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:33.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D0B4576FB2B330B299B7FD7ABA0A22,SHA256=40E0EAB4078DC0C7AD6F2AB0CFE360B08204AF2A87D912FEDF9BB20C4ED8757E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:34.331{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD554DD0A282FAC0E3FD905BC97B6B16,SHA256=CE79AF0D7C1B0B24352B70F6382582E5E31ACE225A514153E2E4535939B15C87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:32.901{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:34.089{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E26CD1841277EE093B20EADA5A80820,SHA256=7E8433F8985A08887B608C61D4728C09E426C31B42D5A42D081BC9203FE86BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:35.350{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE61840569C760F4122092892FC9AE5,SHA256=527EC5358673DAAA5C6B955D4ECD036DD34E802DBE09F59411D2386559FFC256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:35.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2028552AA5A30072DA9835689CB316E4,SHA256=9E66D273ABCE88C7167BF34294D7043944B723946979EC9732005D6DB873EF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:36.365{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F8F2CED1220D0E05E36C2403A7581,SHA256=A7F4A103EE18F6CC1C00610EE7892B1FCBDF193C52080BD5146394317B9C00CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:36.118{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE739CA51F7A519239AA447B8F7CC27B,SHA256=2903797E9CF06A0D4969257C7784FA6D33041E3285347B4AF011C98E6D908BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:32.786{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64295-false10.0.1.12-8089- 23542300x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:37.379{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A066D928C763CF9DFB5D1B288AE7313C,SHA256=337E06E09AAF3622E20060AF4F815995E35B21E19D8090CA0F659B73DFFFDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:37.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CD3DE7F89D3CFF4681F9C40D73E701,SHA256=72FC5FDD80D6FAC75E142979A2DCC048A6C7D3866E90D750B804623A0EA59BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:38.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2BDAAEE9B63796B1834C894BDC82F3,SHA256=EA6187752F2442509DC35657F33822F11C537C1491B51BE063ACE2071315A5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:38.138{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201650B241DE2A053086C84F918616B4,SHA256=B13AC551848C3505D50FF6693F8EB5B119481CFEEE9DE4C2D752081D16D78DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:39.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E384728B010A987A604497E019F78E7,SHA256=E02038A1A5046B71E3725CB34E1E4E4E6EDDDF2EA36ECF00B50D5DC6B22E53D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:39.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A145F3F111474AC6607C6D0C8DAF7,SHA256=E0D3EC7076B4D75F5A01305FF1EE2EE73BB0186CE485D2DE77A6A95FE2A667A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:36.562{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64296-false10.0.1.12-8000- 23542300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:40.429{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BBA078CFEB6DA4FC21BE6D2B233D4E,SHA256=4C6D4A963A5D33D206132DF8F949296FC5100D3038F563469E490DAE64D9CF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:40.165{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC281708249700DC910C6AEC917CCB7,SHA256=066D8A7C2CC7F20A509836A48C115499DC41DCBF4A4DED01481B80E6B2B79AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:41.447{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20668315DD78B4CF3A7662ACE2EC0D,SHA256=7B4B9E68CC8D9A010D796B62E8056B8916418CB9BECF53A213636F1828437319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:41.181{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6230E12427524816F412813D61A3715,SHA256=49254B99C383200FE8CE4249D195C572E9C7ACB9C59B0212B8F9B1066A915D3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:38.871{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:42.450{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21C6A869A0F7790C2702E9AB3631BB6,SHA256=BDF402A94DB327AF2CFA8DFE5B2F5395C38363FCC68251498DF1E157E3E4D46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:42.181{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB8ECE4F72F58CA7EA7ADA5382E50A2,SHA256=600EF83D1E3B0CDFE66AEED9B32E781FDD5858E6FD2CB939D2F43D9D3C9643AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:43.465{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579902265171A3C0BD03DCD1D16A7389,SHA256=385E05AE9CF0C86C99EC5A5B7F155BBF8E53F40BCED3B831B2734E3381298E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:43.197{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE8E9F6C6EED2C570EDFC818AB48B23,SHA256=B3A67BF168E13F0A8027AA58F41A1F2BBB511B0234DFF98DB07DC60E97F6FB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:44.469{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C56D84CD4FED19777AD76944D67EA,SHA256=F0825C7C4779E05389BA37B0ABCBF8BF94BB48F8ABCB2A93A2E263FBC7A09ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:44.197{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582EFA8B223F4A7396559F4B1518565E,SHA256=677A43792402F644B25BFFD1E51214F11B7D47DC8021A3D6749D6664F05A507D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:45.483{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F240F8D6515CDD541AEA612841D22E,SHA256=8BE2601CD8E6EFE35F6BE1A5E8EA0A33B6AEF951D1FF28BC0EC6C46A9FC01C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:45.212{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8DDCEE0710DD79E4CA074006CE0A0C,SHA256=DEC39CAA9444A240A22EC432C5E9871C40DE1544F06C8E2B7B8336D45484455A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:42.517{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64297-false10.0.1.12-8000- 23542300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:46.498{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:44.042{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:46.228{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E9D998AA4A68E4147966E2C1EA5DCC,SHA256=0288FF9D6B74EAB0CD3E360FE250583B6148DF7EB0E830A4F9B44A9884C17781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:47.513{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5F87869A050344BA66747EF6D7BF3C,SHA256=B40FC791D529C75388D961C4673F3CFE42E896099DF3D16569CB97AE53F58A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:47.243{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D166DCCDBA175FE84EFE37A8F21DBB,SHA256=0F01165CBC476306DB8FF4E2F6ABA6F387D94FF9938F5AC1AB80CE6C778F5562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:48.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:48.259{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2483002C810C94603D4D244BDAB76DDC,SHA256=4F2F188CF3F2552B46181DDD8DBE443F9B5F1791BAB44CF3598A5445C9EC9B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:49.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0D03EB6B887463B29513470C96743A,SHA256=3A42F029FD36DCBC8227616B8ECF1B7B2C11F8FDE683DA7A9B3B34B1A87B8EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:49.272{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4ADDF981128448F9479FE445C9C68B,SHA256=CA6DA3CC864FA9993D7627DE6A64C09942DF549B627B386978488821EB2B0033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:50.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271B57E75CAEA5FDD5FAAA657852C461,SHA256=9609D6F4BDB3C37105D8983714CC0A057E590B6AAB7600149CAF56C7A2C0AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:50.288{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB68097CE1FD16EFE9A121DFE32546,SHA256=39272CB4D5CADB0E2F7DD5328C49EBA191E37626B504955FA94F293372329227,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:47.601{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64298-false10.0.1.12-8000- 23542300x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:50.149{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8b1a98.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.980{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:51.611{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCE80267C771E68318493EDEAC293E1,SHA256=3157789636F63B4F664E581C32B92E49CA8A703EE609FEBD827A4C4C66043797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:50.024{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:51.304{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3788306D9A5F605BC16C73A01DF4CB,SHA256=E00583C4C058F506149E7A302C9D17F4002DC09325A63D872A1347CDE04545EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:52.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33615C89452ADD1F1CA4EE04EA91EAED,SHA256=2B803F8F95BC723E4F7860E2E0C3D516E715654A8FA13CFAB7BF453EAAF09DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:52.319{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE558C448FB1A358763FAB9F6F45D3B,SHA256=03D06017F0DFB77F4D91A5C17AE36B3E5C0605B10BBCD03FF2CB120E7ADD8AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:53.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BF82ABCA0347EE90E98D1C38FC4547,SHA256=4B5F4139E114A0DEAC773B8CAC33625A62C292C06D872E012B8A1FD394CB6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:53.663{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDB49614A51919108489D244DA35DF7,SHA256=601243BB33AFA9A7DD9A0BCD73ED5F1F820B41D6D0D08E5ABDC56DBA18B0DF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:54.694{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CA7600B2F2F178C67A434160DE570,SHA256=D6F69BBEA7B5C4E6A72AA971A2A6BDB39B49A7DC9059C20B84B3ACF30E93CC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:54.350{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431F1C530C58B8602A01FF895B2C46A1,SHA256=9A3A4496E506AFE45939542797FEE58F5026003FD2B199BD1DD365B96B6F3F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.908{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.910{82A15F94-582F-6112-0208-00000000E501}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE271BD1519A0259E7F7E216BF115670,SHA256=1863FFAB2E2ADB38AE7BFBEE2C08568437B11788F6B7950B27FF95FB1551B7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:55.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFD50086955D1CC6DE0104284FF55C6,SHA256=1431B12654815409E5FA0DDD3D40CACD7EFE4FCD1DE00F53295A4C03A3B38B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:53.614{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64299-false10.0.1.12-8000- 10341000x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.246{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:55.247{82A15F94-582F-6112-0108-00000000E501}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE119ABF92C352817C29CCD873BFC7,SHA256=CC11E0E82BB01E687392AD0C9F3B26C7F960957015E8F640281EB187C58D09B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:56.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126D09CB45F2A8ACBF246A861F7136B4,SHA256=D2079F7C048F5F1BD108CE2E97FE1139ADC1544D43EBE225622A8F2E75FBC4EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.528{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.526{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.525{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.525{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.524{82A15F94-5830-6112-0308-00000000E501}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.261{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011240D04A49A6A7093539519FDF2535,SHA256=34AE46F65828733110D9FBCC4533B11C9EB6C07E114BB93BFC750AEDB114612A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.261{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5189497DC2AE22D48C7D9741BBDF277B,SHA256=12621CED297D00CC51F1091A26B94CF5DFC35D5D972E2C0F4402EDAA15199A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:56.061{82A15F94-582F-6112-0208-00000000E501}54483476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.975{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.976{82A15F94-5831-6112-0508-00000000E501}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.807{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0E3BAA63117CE87C02FDF4BAE09463,SHA256=609395FA7DEAF0961966643D51B804D15C13455676B85A0246CA9522DBEAFA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:55.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:57.397{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B5437C3B8FC1CC8170ADA5C7292F8,SHA256=34F4355CA71ADC556C2C7F2F04021BE9A8E3DC931D535DF4ADE7340ECDA91E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011240D04A49A6A7093539519FDF2535,SHA256=34AE46F65828733110D9FBCC4533B11C9EB6C07E114BB93BFC750AEDB114612A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.507{82A15F94-5831-6112-0408-00000000E501}40485460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.307{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:57.308{82A15F94-5831-6112-0408-00000000E501}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.828{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A249D77E7FA2CBA32FDC98018520BF5,SHA256=BDA467FFE947AE296426667C131FC930EB27805FF01DF2751FFD9B7E85BF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:58.413{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01093EC3CCF7D13E67767BC527D8F884,SHA256=4BBCE12ECB0B32B3F6EC135E98BB2FEE735F06376D462C9610A2A422B1FA261F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.626{82A15F94-5832-6112-0608-00000000E501}1020520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.475{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.476{82A15F94-5832-6112-0608-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:58.128{82A15F94-5831-6112-0508-00000000E501}67843984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.874{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F852124AB79CB185B2A5F6B1983C2,SHA256=2D7C11E1369B2CC9C5DAA93B6DF4FB6AAC1BAD6ADBB8698F317D2457A454435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:42:59.429{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870BB233A98D46C254E1FB6F573E42C0,SHA256=2E541F161BB644B1E00B1675DF5A91317B235B04CA857EC42AC1407592444AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.091{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.093{82A15F94-5833-6112-0708-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54216F179AB5C0AD2EE0D98CA25C316,SHA256=C0294D347AE26803774A13C0C6AD88156ED7718352275B33BAB3E183958E1CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:00.905{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A14281F7074F499BFA866FB9563BDF,SHA256=A610D4EDF47075BC7E8A70BD2929158746CE94124B7C7C6AD04B2492A8C01204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:00.444{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F89B15FEDC27F9D760CA20D0A825695,SHA256=248B59E9053E736FF79CEDA439B5048FA8E6C1F95F0A6EFFBE99F704EE2109E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:00.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842DCFC95BB40E926F2249C3C6ED1FDD,SHA256=533DAEB2F1F7FE94C0218CE5E6C6A49B1754A7E8988D5C8494D1E11652391A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:01.923{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEB708915D24D046B49FC0FE21A43B0,SHA256=616DA764CC317A2B19AD983B42C5CF127665AE6A810621A968880B4B6D637857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:01.460{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476019102BCC706C97590599ACEFB22,SHA256=7EBB20C6083D499A42E28EF9A6ED9EF5EAF7A41975E221960CE59D1D4C0BFB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:42:59.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64300-false10.0.1.12-8000- 23542300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:02.941{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E990781C7D179BA35777337C9A9D953A,SHA256=224600BD53C7C270D1B3498FF4CF743B75314B76A1A0C7E7DA6C0C8F646A950A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:00.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:02.475{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D513AA2F217BC64976DA1D9DFD3D6DD1,SHA256=DE4D61D11620FCAAAAFA868FBFAF1F0DD0BE9CF95392ED28BE0556ABDDB1B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:02.042{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EAC6EE9770F74DB8C358686FE91FDA5E,SHA256=8D8356FF686AA5A2B62C0FB839C3AB9CB158B7AC536660EFF9C6083B2E743A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:03.956{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5263218C099DB4C818387753F075D1F8,SHA256=C2EAEF762B0EFEBC6B842056BFD6AFE53C04FBCCA75A01408711DA0F308709B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.757{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.491{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB8792B41D968EE27206AFF3DB99261,SHA256=5A5441BAA07DFA9DF1C25314EBE5D23C39F9CDBF2DC8366E2E528914B7BC5603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:04.554{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB854D2D3F0FE882A0CB1A4944567F6,SHA256=7FB7293B7A7BF4C1DE2ACF2253B5BB820C338D0D7BF5A49DFAEBF857BA241478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.919{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.918{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.917{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:04.917{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000032067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:03.524{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:05.632{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE01D3BD9FDAB659DD5E3B9ADF0C911,SHA256=B7731DF3AC5E08E20902C6933CA3A7533253F148F54C8C28A99D6E8C3FB8A6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:05.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC0B34A7BAC7791D64DF385449A3629,SHA256=381A64163EF6C6688D59AC0EE74F6A0D826DDC696F4A8B3031729D5405DC9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:06.663{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CB0557DA6E5696546C88C260A299A9,SHA256=498C62EE40501C26635CCBD74F1E4BC019A59F8BB52277739FA6283B182542BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:06.353{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BD8B2776113A2AEFDA664E937EBB6,SHA256=F2B38FCE5B911EB849BCD1D8A764558C9B01689FBD8393FAA4D24C1EDB8FACB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:05.899{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:07.725{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B89570E97829F7B70FDA533EEF0E68,SHA256=4CCFA017D704204BC986E5BB92A3F694DC2788B3402B7B1D4E2FB4DFC7C52BD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:05.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64301-false10.0.1.12-8000- 23542300x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:07.368{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69A07781C2A2DC183954207F817AD05,SHA256=8627ECF17F91A6A2E5821CCB056C1254ED60FCBF9962585531D6A14AD897A95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:08.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A9BF1C80176DD874848943A965415,SHA256=3EC8A72EE0449C20CEA5E9A85748936CDDDF1E177CC2092F1545CA788FDC2E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:08.745{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96F6C7F75AFFE16BD675424237D806D,SHA256=AEA5E3DE27F54B4CCECE08E4758EE62F475954B884C3975AAE5829191E731ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:09.745{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910828B82E6005A34CC608D046864694,SHA256=7615ECD6445CCE2EDCD2B23716ABB2D7794DEB0C3B04E6FB49BB2C7B7C12D83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:09.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858BC4A620A48E72A8504BAC22DD1882,SHA256=ED2AFAFDFC7ECC3BC34A75682E28886824B7D6D6FF4FA9E3439CF36B18134107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:10.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAF77F429ECC36BE1461A18C3C0B717,SHA256=9FB293FF6CD4807E313CCEE899EB44BCC996842EDD74ED40216D3E563F723275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:10.416{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2B21B9F643B1C3B5F100C4F90F8951,SHA256=433DA6CD5724D2353DDC44626C9A11EACB2555E4CAADE236C833F0DDFF6BDEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:11.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F2AE916BF492505F2DD9DA17463678,SHA256=E23C4FC9CFC3FBD74AA5639A85EA8A67319D4766777FC7CB522764EB9F34BCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:11.465{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13498B4489C625B9D5041B515FD2B61,SHA256=B99D63B88CD446E2D43E1A1EFDA3B34E19F066DC0DEDF83F627A8B6CA5585321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:12.870{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B674726A94EBB425FF4EC906DF905455,SHA256=346B50C0EB23CBDFCB038C6B433095A5165CCACE23F51098AFF096B65C8CD22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:12.480{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EABB4E340B04428DA6CE3F3D8CD5BCA,SHA256=50260B51320660C9F3F5F4ECD91F5C33914AEDE993C7BEDA50AD3823FAD58A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.886{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD51617753DB0A3DEC0659437F09E6,SHA256=91116B12B1D5BC02C6F2D162EF2F4017D10A4042E4FB3ABBEACB730707A2E918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:13.495{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593CAD282D9E98B9FFA2364FF06CE0E,SHA256=0D27A84C56DF9EE0E278223309437CDD192F1D83C605660B51147606A9380AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.667{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:13.668{82855F7C-5841-6112-7906-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D995E31CD03F02359026270B1B57B9,SHA256=7FA325B53EA4524C9B89D952E078C7D073D2D85C018350A3FFF135756AE3633B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:11.584{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64302-false10.0.1.12-8000- 23542300x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:14.513{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E545C2820B4B05C5A6B273BBB3C75D10,SHA256=55F29FD98E6944E3CE5CDED3DEE54C45A31708DAE1CBC3874BB5E53218B8E997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.761{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A2A937088EC9AA8CA8E259F10DB801DA,SHA256=BF88F28739B16B488819F647FFC8181FE10853723DE690C85FD2E4F87A140113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.698{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289FFA848B1B836BE977EFA8B90444E,SHA256=05B2A12CE6D726EFF1DD51DBEBFA6A572BB503EF3156ADF21E0F45BB06BEDE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.698{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEDCCB4735649F9583DBBC8002985DC,SHA256=65E78B8839B23D140CEC74818739049C827B643EAE1AC1BF60DAB7B7A5AD2AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.479{82855F7C-5842-6112-7A06-00000000E601}40122636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:14.339{82855F7C-5842-6112-7A06-00000000E601}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:11.887{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FFC179AF2680D257ED7B2CEEA8A56B,SHA256=D0D4F93056335470AAA9F630BD65DABBD48E135040E0482B24602740BA6545E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE161F031B257353DC8204F60AF3BC0,SHA256=100DDD793204B4AC4FD03DFEAE60651100C13D61F7A60982DC26EE1B1F1C954F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:15.531{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BB989B730455DED047A8984D7C009B,SHA256=B15BE3B93E33F08EA0214E24E182CCCB8649B72BB1B290E1BB19A98837F2B65B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:15.011{82855F7C-5843-6112-7B06-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:16.546{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D33949E6E7D65A9212841EB551813C8,SHA256=548CA2C60755F17EBD32D531CF466DDFAA25381190AB5D92784E781FF8CEE974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.839{82855F7C-5844-6112-7D06-00000000E601}30763584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.698{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.699{82855F7C-5844-6112-7D06-00000000E601}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.182{82855F7C-5844-6112-7C06-00000000E601}38123636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A289FFA848B1B836BE977EFA8B90444E,SHA256=05B2A12CE6D726EFF1DD51DBEBFA6A572BB503EF3156ADF21E0F45BB06BEDE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:16.027{82855F7C-5844-6112-7C06-00000000E601}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:17.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CF8B1DF4E196A59B1254C9C74C847D,SHA256=6A3A39C5532F14B01C6D7D48784D7F14BB502C8C5AA6D19A0680BE5E1D88319A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.870{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.871{82855F7C-5845-6112-7F06-00000000E601}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77563301710B866CEFD88075D58E6405,SHA256=E90058AF158778A755FB7B9BB94E032D99A5920648D7184EB128AEA336048882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.464{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A370A476DC133E8E264EB85955E23881,SHA256=3E8165E65593CCA5D04FD217294997B3B582BBF851C1F749696E22EBB40BB72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.370{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.371{82855F7C-5845-6112-7E06-00000000E601}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B7C9CFCE31767B9F15FC55502FAFCD,SHA256=31FA1EA88CD4ABF08B93D72164218733673B465816A80F3047C715EC8F68C58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01391997AC92F30C896C1B3EC5B79C31,SHA256=3AE8EA0DBC646A7F2CE3C4F957638CEB280CD99C74F50D02D6C5D7DE650C5E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.464{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06ED85351CEA34430EAB2DFBEBFC137,SHA256=8DEA7E9FB5240BE28F4A8CC156407167E0629A649A48AD4E629D0ADEEB32308F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.529{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:43:18.476{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.56.102192821C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:43:18.476{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.56.102192821C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:18.073{82855F7C-5845-6112-7F06-00000000E601}22402928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:19.511{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1282B689899E2E2EA2AEF7F131821AD,SHA256=FE919EA7E464516D5C3A62955A360E36F1C594CE440612EAC3493F2D6AA848B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:19.609{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C7D5B3EA3370631B1EE4EF1E85BF0B,SHA256=6966FE48FBA8176EDE7B2D2C6FD667EB9116F3739EABDFB1B465B345C8B9E738,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:17.902{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:20.511{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8236339BFF08E5B2097F4CC644C17EEE,SHA256=95C477E3D2E99BA3E6741897C2FAB3CA7DFB9F9D490E63F6CBA6FEC8E6A2678A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:20.675{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47E75ED5C8BB40A9ECA0661BD15FDB,SHA256=C88797BFBE3EA5AB1786171BBC07DF4F7E3C5A1B663E96B3861722AF04716512,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:16.597{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64303-false10.0.1.12-8000- 23542300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:21.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F7B6603684A7C0056B0BE3870D4077,SHA256=ABF65CC00AFE23D0711DE6B45073ADE733B3A2F16FEEE47C87DC8B569B62CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:21.526{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C3DB782B126A1B4A090C1541218DCF,SHA256=B962D38A1B3328C0301BA974CCE68029DA3AB36916FC27D203DE648C285F128A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:22.712{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F885DA89CC49B6F7B439D127F6836545,SHA256=29913E68FE3953D6B76F11A86ED32D5D354883DC2645EE3D3A93E9CDB0ECFC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:22.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD5FB8F1ABBCBFAC25892383E467931,SHA256=785C5FBEBB139F52184347E9C6C0A9F530417F0E10AF42D633A43EC8A0C3C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:23.731{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6DC225FCEA7944A8D308DDD84B3DD,SHA256=EF49B3B640741179C2383B72693541BBF033E8CAA271B0AD2FEDDC9A2EFB0E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:23.589{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD953B2680B204267CAF58294971A60,SHA256=631A5032E304BD770935C7C54654F7E0C0D642F8532E2024CCD75A7BCEE0FA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:24.636{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF51966240E14DF3EB850B868472B7B,SHA256=6C80D144031CD1B3D409840DCA0300A2B3037D324668EF0564EA565A36EC42F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:24.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C660E7278BDF833309E16CC0143E928,SHA256=74B7DC095FFCC2B0FB1CDFECA0260EC206B8DDA800A6666AD8B9A0D164EB95DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:23.902{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:25.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6263EE7E355D9A29124BF42260D6C7,SHA256=DE75CB940A1A0FEAF000EB7F90D5DAD9D31A1888059335160E911850566289E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:25.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7795E51D40421750903A2EB41ADD781,SHA256=AA345CF3A8351A53B30E4FB30BF2AE5D178A3C9D173FCF565E9EDA94CA7A9A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:22.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64304-false10.0.1.12-8000- 23542300x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:26.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990343FCA8E391BB5E8BE8E5295A409,SHA256=87CD7C80905B6C852C570022F45368244DA9A7EE4592AC8AE5AB0D236FF078B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:26.714{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49C4F13F69BED2614ACB5952ACEBFB9,SHA256=DA39336B420BF1F9700EC9BE3CAA5C9828C374369BDC61923AA002C6F7791EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:27.809{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E801B9DD70C9A542DD5668C147F68,SHA256=FC04B2D7C634A793CAB607B564E049E1A6EB7AD9391D7BCF3191B258318F2751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:27.729{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF78060FEABF3ACF8DD89F89F547BDB,SHA256=194E8E2247DC6254E3BC3395C7DEF6B24D7B0F9C2862410AECAC328C22A66FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA1DBF0FBC434DED879AF16D115C3CA,SHA256=44328C46562BB4C51421976072CBAA302BB92373BE4B2D20C867AFA753C5FA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0277B3B2CB50008568E43766D725F95D,SHA256=E14088D767FCBE10DE6ECE7611658265CF719AA1DC22884DA0554508C1FE8760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.828{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772E269ABFBF8A90AB5647B92B8AAFCC,SHA256=13D483F5CEF096D89E6476F2C3B221E2E7277C1B6DA96B2DC9F3793C75DCE676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:28.781{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63DFB7C8BF141529EAEAFF5D84C5806,SHA256=09256276625A5D667E04C9915D6BDF0265361837211522AA716EC8E65E53DC9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:29.812{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9954DAA79914B7DEC201D493D5A310D2,SHA256=E07624607F071FC45AC045319AC1490A7EFC79EB0AE3DAB9C0BB667F40FE6DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:29.875{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBD31A28A1BDDBA4C6BBA8773205358,SHA256=105A116DC5274706F4D86A5A4F9771841F00494EEF81D3794E4B4B69A93B7439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:30.890{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478662D60F15B83A662B5A25378DECD0,SHA256=821001A96F8C4CA557577DEB2175F00F4C7C7526C3F0F8EC19A0CC8CA524CD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:30.812{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21414390113C04DAF9029816535F90F3,SHA256=09361DFBA627A70FA6C57B1C60D8D00EB3D29BA817D7A94907845A929E571450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:30.559{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.908{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642B6941BE0791B5DDE31CD95A70F54B,SHA256=E44DBFB4E8A4BC5EBDAB487D417D84B834CCF75A29086B5DF276BD6A5DDE9372,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:29.845{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:31.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED1B5F8C7AFCBDC7E3E3EABCB4EF5F,SHA256=F55CF362094AECD7A27742668A3B0C37393F972CAFCAC485F60287A8A5085DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:28.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64305-false10.0.1.12-8000- 23542300x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319DFF6DACD1F4ADB0EB31DDC102A0A6,SHA256=9D89F348F1800D56E5AF0502F3B9EAEC7900B8716648793265AA6EE9C33E966E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:32.843{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7F07C1494C37765C91F4FD8B59BECA,SHA256=D98589567741ADBA50DC5DE30503A99FD871E0D6E31D5B4FF7EC769D9D7D35EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.873{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA1DBF0FBC434DED879AF16D115C3CA,SHA256=44328C46562BB4C51421976072CBAA302BB92373BE4B2D20C867AFA753C5FA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:33.988{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456C3A8BB8D6E4A82FEB80142D740C6B,SHA256=6029E7BBB7C8AAC29F89998E6B5EFBE527B7B86E12C4D4B4C0F79831CA7F2F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:33.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DAFEB502EA5D1574CA49DF0E236F55,SHA256=E6AF3AAB26F5EC75979B7E0758BF868C497993C6F8F0FA4581CD0F29A376A50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:33.388{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.294{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64306-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:31.294{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64306-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000032202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:34.875{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8555678BF85BB8E0849B5A469DA16A,SHA256=D7D7940AD0DA02BEF0D24904A6DFC83BA88E2EBB8BF84CCBA0788EEF565F052A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:35.890{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682F11DED2AABBB732CE132BAAEED5C1,SHA256=2A61720D0A2F5034BA315474B726F4B976261A1A371CD5380D2DF933E597E849,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:32.808{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64307-false10.0.1.12-8089- 23542300x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:35.056{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51097A4C57C4C2984A7ACF26DE37A57E,SHA256=81D167B28215640DD5FEA7756A29526743F5AF4C405C4A842BF9D1C605B79D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:36.906{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C29F1199CC55D23D774B2361186544,SHA256=0F4F6360152454AB244B9D21EA59087BB41FC0A526A12E8C38E8610B937F7F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:35.001{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:34.560{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64308-false10.0.1.12-8000- 23542300x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:36.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EA79F40F07E709733FE92F5D877DE0,SHA256=CE20260070948CD6CDE368AC5FBB3EE25CB7662BEB4507B972CF53D148A7F893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:37.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE65008EB476576E818CC3EB455FE30,SHA256=DBBA4D6BA56234B11C43E2C5371D180684BEFA467761575D0D6FBAE58EA76110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:37.104{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC6BF054CE3029F9A05D4430BD3B24,SHA256=10539C331503E795CC4AD37CC754AF77F868E52B00ABFB7A094BE12F6D95D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:38.924{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FCFD69AACB1AC6D487BEB1C55EC0CA,SHA256=5782F910EAABF9DF6D017B631C0195E0EE4FEA476016D861F7D8012DBB16ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:38.138{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59938F2A2DB7CA37B882283363A26013,SHA256=7D444F71AAD61F11CCDA4061075B37F0A94D533CA6C8F56BE08EA271FBBC1245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:39.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE00A6D01A79A02A48C2AB3FFDA15484,SHA256=554D878EE875D6BE5A89D3FEC5DDA48EE95C3C13BF3136166085AA0E393E2A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:39.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748331D5B16BA4E9B0ACE0E90D8929E0,SHA256=8E57C1AAD3F46D2646338E83157BF9BD28A05BB589AE75A831EECC87EBD31993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:40.939{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9F9731886AE46BFCBC08A7250177BC,SHA256=DB52E4EBFDB3C62FE1AA38E5127F0276CE19EE8ADC7F7521B993890707182918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:40.205{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824E3F7EFB26A22FB9473AE1B65CA46D,SHA256=701CD3106C47A2567C57EA74009FAD22AD03C061CD39C5C0F58188422AF85CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:41.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B281AB8F3965FB9376D2CE0583770473,SHA256=30F949EFE3D98B103DC24450650F1DAD342415C3FA28098D12E8764D95962A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:41.209{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D09FF6F20CADBE8B4B01691A1AA818,SHA256=97F968264A98DA6FF99624537ADBACD88788A4208141A6F02932276284F861E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:42.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC68922887123FADBAE8FDA8B9398127,SHA256=0B9C6FE1584AD75401720B02979CB3C6FE75BDC33ED91D4B8801F8B83C2A8ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:42.239{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D84B3BC797C73876142AE258806D2,SHA256=4107B16AE2A29D16BE06DEACC90943CA7FEA1C72F1E0DAEB683C93594F032DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:43.955{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B608FE37974BEA3DA3E0DB54C7FD03,SHA256=878A91316839B3DFE6CC209551BD841FFECA030F1A2C72B49C2DC124FB63AD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:40.971{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:40.475{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64309-false10.0.1.12-8000- 23542300x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:43.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8C833A570735D2FCF3175A7D6CE10E,SHA256=373767494869EF3467A932B215144D2990B43AF2BA875F6D84F18B13F672F651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:44.970{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA294D39F4F55152529B13C0250AA910,SHA256=8E8ECE791E0AE4A0FE990EC84C89CA309807B9FF5DFCB2E15C4100454D3077BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:44.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF996159F5D24D7E2627477B38DA15D,SHA256=524FB3B218C5CA0EA8425009EBD8054D97FCC7B1398C57F047B35BA89213CF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:45.986{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4D5B5D4ED81E1AD6DFA38655D4FC83,SHA256=FD6289AC94F8CE78071172E9547FDA7327B87D3097711DD3BFC7FAF82DC3DF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:45.303{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794CBEA3CE64AC7C15E7643459B0FC0C,SHA256=72ED0B740DEB9D8114E8F24844E4079EC282B8588508A6D14983B972425FC280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:46.321{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D5077CA6C80228782EECA1BDFE4FCF,SHA256=77A9DED7F458ED3C82682D30E3D442843CDD69C91C33A8942388CA593582FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:47.001{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2851B1A9E530EEA1144039C974FFA7AA,SHA256=2B24626377CC8E8330C124EBE221665ECE0258C1726335C00D904BCB91ABA545,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:45.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64310-false10.0.1.12-8000- 23542300x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:47.336{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F544CBEF9D4997EBA0563A4E632E9C,SHA256=A9CA83F24A434F640630B7E765923F7B5F906A212583FF75FCAE8EAD778BEE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:48.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FD55CB76EB143E1AD50DBD7FBDC6AB,SHA256=7F1B390D0805ADB98F56B38940DA394759A251CE8064901107A94C856D684E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:48.017{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A432358BBD5BF3111748241FCA9968E,SHA256=7E98BB8EC43C94C6C6715249F15FA1F5A25DF729F63FB65E1CEFE4ABEB4869E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:49.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA22F5149364AD68FA016D166FD3200,SHA256=EEDB99ED765C8AD6F231C5DEC0576C5D6BDC9718B11CAB771BF9FB8C3D7E95E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:46.956{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:49.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFD041BD056B8714DFE7188A984EE8,SHA256=2406C04D800CD93D8CFF82EC90A4D4EF96E8A405D7C863485854578D36E3C1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:50.381{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:50.047{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C02B96D8DE0F19DF364E1D57164AC7,SHA256=792C868760D56C349CD37B42306E91107EBD3DF8EB9F0621BEA74FB00C24BC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:51.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345CA6C277CB099519B00011C93CC066,SHA256=BF6824CEAC40C52C2659C1EEC1C592F5F249E15D4B6586E69E57C3E1A40D044B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:51.063{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC2A8D4FFD470B63B25F8117129E6FE,SHA256=1ACBBEF7DB5E5B442E159598FCACFFAEB65A56903489FF36F349856C4CF5FD9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:50.685{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64311-false10.0.1.12-8000- 23542300x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:52.418{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073DF7E6A52D9278FD40B5F2B9B894C3,SHA256=9007B044C63878A868599F8D8E050F9375048AD5AAB146F4378994809489AA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:52.079{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF47B4B9A3EE453CFD6676BDEE2578,SHA256=839FF7449C489B87399A6AC7F3EE531FA1B967479C5114B0A3BE5FBDF9296019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:53.464{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C61FDBDF71BDDE8B369C3A9D3107BFE,SHA256=8D71E7C400CCAC51A27A5AA5333F6DA1D63A1EAD585386FD482F9644D7D07AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:53.094{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576A134A609E0560C62BAC2A9168DEA8,SHA256=28679124B971115D1C76BBF1B75C6E836B42D85A87AFBA7A6C1B71938C74B189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:54.467{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB82856178C5482B4A81F68246F332B8,SHA256=89C885E15E33F727BD6A6CC56CC5EB11BD5E06CC33AAAA20391F81728C599E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:52.908{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:54.141{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4AF8E11576275A7B6EC33E6D034072,SHA256=F707832065B0327738DFC360F7E423FCF08F3601513E581EA4B3A92C2DFFC6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:55.157{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE1A1D45660525851BA8EA6B598E273,SHA256=7642718AB2F7AB54A46DF6FFF304B1467DA0CF1B78B2FBD3A0A9CF362B8C328F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.934{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.935{82A15F94-586B-6112-0908-00000000E501}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BA65D96E23BCAC2777C5EDDF20D404,SHA256=4ACB071BE0D15A40442CED98016B76D4E16C48E5A7C5BBC8350377B65E100A98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.435{82A15F94-586B-6112-0808-00000000E501}60684908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.266{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:55.267{82A15F94-586B-6112-0808-00000000E501}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.534{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.536{82A15F94-586C-6112-0A08-00000000E501}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.502{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EABC8BA45017013EBB4224DBAE661,SHA256=0E3B9649404FD875D4FACB94B674F50D80FA5D6CDEA5CC6F80E90C926F4AEED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:56.172{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4479539503D71A9F73F5F9E1F658B1DA,SHA256=647DF9E77904809A81C433AB59CECD4BB0EDFED2ADA073FD539D8C15CBC3166D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA372EC77D22896915B2742728CA1308,SHA256=422E9BF9216F9993A388AF6B1691AFB05BFABB2B1D6863979FB82FA35F7ED895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2795432B32D1A4476004C8B702F3AC,SHA256=8C4B6F8598806E0E4E7559EB290B8A86B7A832066194CF7A4AC8F5D2FD54E215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA372EC77D22896915B2742728CA1308,SHA256=422E9BF9216F9993A388AF6B1691AFB05BFABB2B1D6863979FB82FA35F7ED895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.534{82A15F94-586D-6112-0B08-00000000E501}63641996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.518{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C37F7385AD93BDB994796DFCDB2D19E,SHA256=D7682E5CD82D333B0448498E0F06B997B782B1BFA8EE4DE1D102E71B04E2DD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:57.204{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB34BAC66A830D16FACA160DC7BDABE3,SHA256=6D60CE52BB28FC622BD65B10FBCF044318EAAE0019F59854132D699C4F4DA800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.334{82A15F94-586D-6112-0B08-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:56.500{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64312-false10.0.1.12-8000- 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.900{82A15F94-586E-6112-0D08-00000000E501}51884112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.664{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.665{82A15F94-586E-6112-0D08-00000000E501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.533{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:58.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D7E6D1531DEEF29F8D4E800B790793,SHA256=58FCA03ADBA8114D703713A77A089A998FBC33EF70BD52C48E1BCA055F7A30EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.149{82A15F94-586D-6112-0C08-00000000E501}58883516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:58.001{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.999{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.999{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.998{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:57.997{82A15F94-586D-6112-0C08-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEA1775E4D0D8D4152434E43EC66A32,SHA256=101967A8B7AF490CEC963D8E4C493F5FD398B69CFA7FB25473C57794A07FDB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:58.017{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:43:59.266{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B64380ACABB570D249B0EC4330D2ED0,SHA256=AA93AAF99A4BA9EF0CD0334C281B5715B3754F93552C62656E4D94043E62F75D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.339{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.340{82A15F94-586F-6112-0E08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:43:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C821D79A860567D88EBC63C652DBAC,SHA256=743DB41FA47BC88DC04F943CE67D4AD3A699B27B23BC12E7B0F034A3082D3CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:00.569{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCFD8DC637F095BFBA910F112BE095C,SHA256=5022C556D93147A415E1AC3DBB0A1B7A20F391F77E76583D2C2D408AA175FD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:00.297{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D59D166A2DBABB6C8FFD6C8D75AFC2,SHA256=CB1178FAF8CFD629E2DEAF2A86D21198C445E05B39325B56413E1149EDC347BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:00.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458A405F09FFB83F50B8EE63A9ED544C,SHA256=BA33B25F1B0A8EBC3D5CFAFAC28EEEB7E131E4A20AC73C8F8627B686197EB47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:01.584{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AB5F37EE423CC71681EFB7E9C47096,SHA256=990C7FC65D7260147B5F2D252D1019B33395604CEC4623E4761278CA89A9D59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:01.313{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB38A371BCF952EAB165947BC797AE5,SHA256=16AF16AF4C1733BB082C42ADBF047E139412E83FE8B0C936685E9E09E640BFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:02.603{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC198F5D0F00705B1A1F1E89C98FF17,SHA256=C5E3488C183271F563AE2F87BDD0602C54E1B253D6C5B930F5101F44BDEA5538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:02.360{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D1CBEA3BADFF30EFE91CA0AFA4EA5C,SHA256=83EEA48BFDA6DFFC4376E8CC31226011C07AC0D88AF76588CA0E99CDF32D0732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:02.053{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EFDBC106D97A5A5BF8E9B821444C644A,SHA256=F6479315D1D78936D2465407BE490EB9037685B5D3C3B4C95126FD9B88AD04A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:03.636{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796D428789661DC27873936552B45556,SHA256=99939175DBAFE36D6911C5D83DC18BDA3F3002F61AB0AFB216DE7381B45764F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.782{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.360{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEE148D4218C2C0C0C6CDE5FEFA109,SHA256=6FC09338088C9AB4FC1F3E94DB1D90D1706FD76649F329573437293EE2633616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:04.666{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C3EE909A1D857ADBA04DA41BE5030,SHA256=1D23D16A63C97FA9F23F94ADD4B3729116AF84C51116C15BBB5135C8731F7415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:04.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7AD1129FFB21054A1AF064281545E5,SHA256=923391DD3DEFE031D2B6EAD967E0A9D5E783DDC1644F00788D12AABDE80CA6F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:01.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64313-false10.0.1.12-8000- 23542300x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:05.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A374247BA252EFA8AAA56322B233F1D8,SHA256=BFE09B139191F99BAA18B129C6E01A4EE24618075927E746DEE631EDE91B9FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.892{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:03.550{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:05.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C0C3A3E095858F3C89A565A82D5D56,SHA256=5663CE608773637BC4F376C8D91B5EA996728AB5F2BCB1211CA728C9F8F4A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:06.698{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF8714C6485DA603CDBABB4F47C8408,SHA256=C61F2FB25143C4111130583744BC4BA305CDF16C616A1A64536EAFFEA85E9C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:06.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B78E9B14862F16241C98B0A8BA44C66,SHA256=6A889DC8F0798C5492C0A7CF749594D294499D0B5F1ED1D535203CFA79865B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:07.732{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7676A3B51D4D188C7B999D1EEBBA7,SHA256=BE8D7273920C8D61C5E7B478D8F1FB58FDB92D68FCA67E2E8DA761563E9E5ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:07.469{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87D9A705C68B9C3C890BD8A04933378,SHA256=277D6DF07AF96FD6D448D8F7DBD1F51139C0A389995FAEBD803676FBB73D2589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:08.748{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCD8F01ABCC14751664C525B60BE1E6,SHA256=78501AA21F51E4FA27EE43391EDF0E7E1E3F996FEE262ABC95CD7E607D55B7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:08.490{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEE3B4062787EF09441A2558741ACF7,SHA256=3A9CA2FFF62C028078AF3E1E95698625C5652F71137F77875477FEB9043770D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:09.762{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359F8939F2BFCE3D813319A913F3697B,SHA256=0D0D2BA2A7188C8986E63706CD34B2877ABA4ECB91B2E631D016898ACBB61E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:09.521{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E57B1A8D56609A2558A779BB9B8E7B,SHA256=1B135BB0E9E1CFA1CE2E3BAB2FE61E67D8A9F09DA0B2046AB633C273407E6147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:10.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CABA7E63C5031ED3A66E87DD6408675,SHA256=2A5829F6E36A808045C44B7556E3EEF1180E1E83A7F459BE7EEF7AC4586F268F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:10.552{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A4FA4DA105696DB5AE067B5A0EB001,SHA256=81B61D5C98AE8489F738924BFEEF9D414E936AF9C0E1FA7DDA8B02BF34311BB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:06.668{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64314-false10.0.1.12-8000- 23542300x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:11.794{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C81F1DA9D8AA74BB32198BBB147DD31,SHA256=B0178F8BDDA64BB433C6DF00BB771388DCBABC80C170ED94CE3208DE95C0EADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:11.568{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6CD536E6800F33DB07F9FDD1A87CE2,SHA256=D7E8520CB181535C311F5F7EEBF9DBC9632275AD63BE9359845F3695E544B066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.897{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E10EE8F8D84339E7248CA6810157D0,SHA256=56F423196E3E54F9F105AD84D890422613450B3934AA93FAB6E77A0F19AFBD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E7D44C45D556AE346F519CFD27302A,SHA256=035DCDD39A4CE06D57E2CE48CBC40B1CC2178ED9ABF591DA6C37F78D27F89BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0FE45374E059161E36F99B77A5917,SHA256=56AF5F5761B86DF1209E42345FD5AF8896D48B0E9562AF648D86FDFDF2210450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:12.599{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F26F5470F6C0B9BFB5DCB4B32FC372,SHA256=C264071CF71A51C58CCC4F8D71AB916C8B90379043BAEAB9F2D2EE3ED9C19E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:09.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:13.832{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353D3C199606E8AF78C3FB72776877CA,SHA256=E500890F5B60EC1F479F633F48A02A7BAD6B8EC3DD6C8A0C1A47A3ED20D7A280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.880{82855F7C-587D-6112-8006-00000000E601}31121228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.677{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.678{82855F7C-587D-6112-8006-00000000E601}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:13.646{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454417825725808D95A4D3D9151E6CBD,SHA256=A31041F19EF8E4070E1773204A3F03AF78CCF6918A0E01C9661AC771106E3145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:14.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B306D21CC27A49BE494E2AA43D933D,SHA256=11011C0EDF16083BCA29594E8DE56A00160FA5ABD7D3EE4AC81A55534A7E5BFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.849{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.850{82855F7C-587E-6112-8206-00000000E601}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.771{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=07AA2FC21E4BA964FCC4DD414C515691,SHA256=E780EC9F5039499A7E7097C3447042247E6A945D1FBEC9289E547649FEDCB005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.177{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.178{82855F7C-587E-6112-8106-00000000E601}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D99E73B8E4EB934640DE7531F942978,SHA256=0F970DE60876483CBB1F90B0CE44F34DDA01063DDE64A77528F17B101B9F940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.803{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7573289430EE676BE3669F0C0B7F1B4A,SHA256=B1D3E1428779AFBDD199F6F14B7F03D17DB201022716F0CD259B749B014C7F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:15.895{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E63DACA21BCE86FF11B856BBB6E34,SHA256=5706C173525D7249450776C3865DB6AC8DA798E03A9D6BF14E1FF3081703F073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:12.612{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64315-false10.0.1.12-8000- 23542300x800000000000000032293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D99E73B8E4EB934640DE7531F942978,SHA256=0F970DE60876483CBB1F90B0CE44F34DDA01063DDE64A77528F17B101B9F940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1EFE2224BA99960A2E9C8763A7D642,SHA256=741835F54ECF53ECBCB8B67D272A59B644EF03A9C269737BE3246C1537BC85DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:15.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1B43F4E61A626CFC150F26ABF78B9,SHA256=C80FED27D06B8B978ACFA2978ED77B3B5B56FFED8AEA1735D881C22A5F2C1EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAB22B22290434C84B200993EBA5E1,SHA256=E2834417FF53A7A394F5C029272F2461407E68B269736F0304F3471F36966B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.913{82855F7C-5880-6112-8406-00000000E601}40683204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.710{82855F7C-5880-6112-8406-00000000E601}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.272{82855F7C-5880-6112-8306-00000000E601}13082432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.038{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:16.039{82855F7C-5880-6112-8306-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.277{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:16.277{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=A34F479555CDB28633CB3CD7C56F279A,SHA256=AF2F6EFA43BAE08F570C3819DF94D1B6BC9DEACBC63DE0C9310139C0D09DE5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:17.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A15E3278D1F0BB8B5EB22CC8760C25,SHA256=20472C50A05DB2EC4E21DFFD69BF9A7FB30BDDF68DB42D20AA1550B45AE8C599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.960{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A4BE01E40B5B70D1930BC812C41BB4,SHA256=4EB8385660019620B18C9A793FDA28143387E9A33424A2B57F2D72F807709E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.882{82855F7C-5881-6112-8606-00000000E601}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.397{82855F7C-5881-6112-8506-00000000E601}6242812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD67AE3FD39AACADF85F059B5751970,SHA256=6D08C60F38F33676DBE3BAA295EBE9EC16E062017CFA155696FB0F0DC8395B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F76394C6EDE030F5EB6B850D04E848,SHA256=31A496348EC91AEB253C6E289D825D8A726E99F54A9AA9946C033AC1CA2671AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:14.975{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.210{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:17.211{82855F7C-5881-6112-8506-00000000E601}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.975{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B005F0C9B514A0366D16CA8AEB5DAF,SHA256=78F11B9A6BC9CB0CBB80F08D37876E2384E80A33916CBC3A6166C3F7E46E57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.528{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.497{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:18.497{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:44:18.494{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.57.200400712C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:44:18.494{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.57.200400712C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:18.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6DD4F0D6FE063F8CDD0B8370EF51085,SHA256=F71EEAE5ED000162929B8FD87F18AB1C54CED476DEF39F0BF5E25B8D3D5C1DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:19.178{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6161FBA2606C0806185805B40D7960F,SHA256=8C4A594410B748499F9852F462357F72EB80B4E56C7F10C4FA10DB532A0350D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:20.225{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460EB4B9C7FCE83A7CB22ED0D4D92E87,SHA256=6782F33FFC89E9EA5B46710FC9A792EC20F030F6D1733339357ACA438A82909F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:17.695{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64316-false10.0.1.12-8000- 23542300x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:20.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AF6D6FFC605F1724692305842BE1AA,SHA256=9DB19D30C5CF8EC7258F414017BA6367765DD9854DC2C6D268E203E5D691EF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:21.257{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E5E934D13492942BF3F43205E4AFCE,SHA256=9481CF3CC8265E3E2EED0DA522F79380ADEBF6A24EDEF2A7258635BAD08E45B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:21.027{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC0E3C1DDF05FF1937FD9F1CFD07B36,SHA256=1B1041FD6035D413FE501216EEF7FFAD98F7378535D71D090BF6E46B7EEC843A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:20.960{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:22.303{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2365E43EEC002D0D626131ED000A6,SHA256=626380376E2AF4EEAC7C147BAA91611694B9D15561C4C4C65AC843DE01CC85D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:22.029{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2FCE99E313FA785E1C7A7FF5A9C32,SHA256=03EA5D2AFFD956DF8DB2B66C4A0D4AC2B751F8F5B689EECFC69742912DF86EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:23.319{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C93DCAA880AE89E5BC4EDA22B36BF1,SHA256=0B6EF13945644967DFDF5DA7667FF0101CE99BF9FFD327DB1826716C183164A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:23.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4915E8C911052A03794D448D91533E,SHA256=7A2BEAEB454ECD1F6ABCCA44D71DF907D60FE6507163ABFB77B8AC91549532DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:24.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DD4467E2A3597B80984CB869922430,SHA256=3584D7F95463DA417BCCBCCF665C936F7E45C9090D12C0304BCF89A2DCD3BDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:24.110{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA18C4802E322A9B118EF8173C9B7FF6,SHA256=F10163FFBB280B2A443D3C78010650A526CD5B6F9732086A10F0128BBA4769D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:25.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3975F8C7B0FE9EB444AD904A2A7DA17,SHA256=AAB988874CF1BC48100CF59C1EB8C68F24C23CEB063C0405DF99F88D03370310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:25.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C3DAEE484E19458BC49D5A777DD74A,SHA256=B14BA0121D5EDD5E51EBB695124CC0B6A35850C6C3D5A205152B15437ECD43AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:26.413{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB8288343C50E3A25F3FBA0E6B41F5D,SHA256=EB3F606B4F59EB712D81DE4F7866DEA63931A3A35188B192E60DDD684F361226,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:23.676{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64317-false10.0.1.12-8000- 23542300x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:26.171{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD719A05BF72332CCCB49953613BC5AA,SHA256=3B9AB6E5F031B3218C2B3B15FBE2A61B5E1DD57339396C6CF2DC8DCBCAD78659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:27.428{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B08B65D80E6CBF0E3B13DD08AD9024,SHA256=4EC06BB858E3EA01403DD549BDE0E1A67E9C568FAFE95500A14775B9D0BF9D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:27.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7005D952BEBB6AFC7AB92FF4CC793551,SHA256=337AC9BCB4EF0C197A64C425CCBB4D3DF640F673B0C529600CF55FC51A648D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:26.929{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:28.457{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1552C5C4EC104549E98F54FB67F7AD82,SHA256=99E0DF83EAAB9D9E400ED11810DC06AD7920AF35FFFC053387EC38F0A08287A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:28.838{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3B2BE0ECEFE28D442C76C90E4D35EABF,SHA256=70ABB0EEB2BDB6A1DFFADF73E29963E79720CE0A9F561CD36FB6DC4E1A583051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:28.208{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7EAA07CB7FEC6C3C51A816F6B7652,SHA256=D1B40387698EBED3306F12832419552B1D5C900F7E6E1907E4B928CC10B60974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:29.504{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3888094715F418BDE3E768F13D5717AD,SHA256=D556A9577D4ED266D7FC80E85527FE04516CDC42A86C14AC4530E5D0BAB8764C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c9f63) 13241300x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x506ced59) 13241300x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xb2315559) 13241300x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x13f5bd59) 13241300x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008c9f63) 13241300x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x506ced59) 13241300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xb2315559) 13241300x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:44:29.685{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x13f5bd59) 23542300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:29.288{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B0D1F75C5BB3159B3CD573230333ED,SHA256=CC5EA5F87C40E0029397BEB7A1347F3EE7FA7F0AB61B6F0739C869F842EB6B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:30.520{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3367982B736045BD6F25603FCE838,SHA256=452DF135904895E9F25A5A70DE8A1BFB4FF82968B6DECFE7CB2321A9AD6897D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:30.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:30.309{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0878EB8DDFC79AAD9DDF5C0956FD7C85,SHA256=409E08D80B396D71935E482D72C7F974F600F7D8D2AB6C343949E2152118C9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:31.536{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB464949EC72DC999824847063967E2,SHA256=9D8A9B5F9582682F12CC8AB548F596C75D91DD2D0C0B3F23BDD8718041B22DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.325{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6314FE9AF98134A86795200565F6D72,SHA256=2672E22D5C4E5216948BB1A40733A19EFE836800B3380F8C05C49F43DCE37217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:32.551{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46463528A031A8A7BF1113ABF38DAF93,SHA256=BD2340E3DF93D4AB0A3631DF7E0D0499401D9F3EFB3DBEBBE1AA7A1A4DAD34CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C037BB463AAAE1FBC89D2DDBB621919,SHA256=7C7DD2787B1070994D3787A79D6A6D7200A8946BA8B3E029332EDD3EDF49265F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5E10EE8F8D84339E7248CA6810157D0,SHA256=56F423196E3E54F9F105AD84D890422613450B3934AA93FAB6E77A0F19AFBD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:29.607{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64318-false10.0.1.12-8000- 23542300x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.355{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00BF1B312B9E852AB117E21D7F98AFC,SHA256=7B339FCC026B9142CE677145BF48BB9443B731D197B141FC1BEC13EE118C508B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:33.567{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ED0D8037274BC4B6FFEB053A707AC0,SHA256=678A70B45F2ADB1BED210A2A55D971B3F67B621799F7714872707D80703C955E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.307{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64319-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:31.307{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64319-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:33.408{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:33.370{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E9D820771A97A58F635C68C05F6057,SHA256=F57CFC1B86B530F86E31BAE1398DBCD8FDD643632257848C4E4D5972D337978D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:32.895{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:34.582{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEF020445C5456A29EFC3A11C8363CC,SHA256=80B0F0D85494975EE481719ECCFF43C5C39FABCF28A44EEDC3F5E3C3E8600F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:34.438{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5570E7D537D7049E59565BDFCEFA785,SHA256=9B05FC829EAE324FD3880974954279139D43562A41518C008A3B3C0CC032EDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:35.598{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97FDF99BA4F31F68944590C1D8D5613,SHA256=75C1019FD7376BA85B42F2DD591B457A6405A12AA0F107F8F579BB5ED152BC2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:32.824{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64320-false10.0.1.12-8089- 23542300x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:35.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE510B1256465A4D7FB3FBBC698E25B,SHA256=5B180B88A8C54FD9E331AE65D02D4C1D12677B1F982DC5759227448F16237DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:36.473{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B352C8100F7276267DAC82F841CE3A08,SHA256=A5BA22EFE364039946BCA49D59D31F35060EF274DD31E0CC8C0E6D33AE980799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:36.614{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90B266168B5F392B4B9B3B5DDEAECBE,SHA256=E3DDF9384DD3FEEDF41A680A1C0F8FB5D4D0BA031E94E739C22A9B153460C0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:37.629{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14615E0A4767497F36BE4A1AC43384C4,SHA256=5517649E9F9A576CD40732B7287754F5AD73B0FAD9C0F9148970BA9C97548EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:37.525{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA6920BCC308FFFB3F591CEC693E586,SHA256=1DFABF0CFFF5448AA1CCD214668F6D8F44571E9DBA1438CE9A708015A5492BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:38.692{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1BAFFBE6C39B3AC1E6CA1E3426DBCD,SHA256=48A24C490375D6FEA7472840A002FFCF38B38A8D426ED413662529F72D5D9B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:35.504{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64321-false10.0.1.12-8000- 23542300x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:38.572{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E072E6FF87082AE42DAB628637574B8A,SHA256=01E71B51B40BF78C7D88BEAC60B2E4E63FE7DD1695E51638CC262508AA764251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:39.723{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AD1F3C2B6AE21558DF69967D35FB00,SHA256=E7B907C9289D8EC0AB79C200DE7081F68A9596F5FF4CE61CA7096FBEFF6E7829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:39.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA25E75D343DA90A3C600EBB2BBB4E91,SHA256=5905D020C0A97B87BBD4DD869A0D80677419782C0ACCF86C075A75D831473143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:40.741{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C41E14316EB3890DE47577BC99739A,SHA256=33CDFB045368C1A90D4DD8AF144FF67908941EC7573DA8FE441215ABD7EC911C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:40.608{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD191A8FD986A320DE389AA4EA598F5,SHA256=BFFA64B49D0F8D3C44F89BBC20AD86FAB8B3D9D905604D84CA111B59B4FFC285,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:37.926{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:41.654{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894B368F1A54EB62F0936351D4C3CD78,SHA256=DE227DBE18AF5EB0FD7D466455A2C96E809EA03792FDB02089F542FA618CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:41.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9E793B3FBB388D4845559ED8AE3AE,SHA256=2078CA69FD9D5E4814874C09C34619F68EA779926E23C6F304BC2028601F35EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:40.624{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64322-false10.0.1.12-8000- 23542300x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:42.669{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D567564E8D30F116A54C6375C447CF6C,SHA256=96D56D40F08251FFC908AEB1D21798358844619AB9B2ACED6FD609EB32D793A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:42.759{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF5AD0D39277BC076E513631D08103E,SHA256=DF2C70B8EFD61733E8537856DFE47E07C01A4DC8C52B0F9317088FE09033135E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:43.790{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF423EFF5D5EAD243A9DB329205F088B,SHA256=3AAF9B8A836DB4BA43F1598F56303A67FA6666B23F890DBBD701F716FE3149D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:43.706{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F1CF57E275FE4408E9061671E4F9C,SHA256=BE7703E23A737E7E18C32844BA5B509F4A99AD055605A6658110D61780163DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:44.837{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA523494B3E93FCE5181F5EBFEC5CF1,SHA256=68C8EC71D5936118F95B928DCD46DDB06F60815E92EF1414E96146AF7A577C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:42.429{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.79.73.243-60679-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:44.721{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499166DA1910B1CE61AD9A2293B1468,SHA256=71133FEAC7B9864B83ACCDC914EA9912E425D93F4B4B987F3935C406B5A5FFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:45.915{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D511DCE4E41A22406671C47FC25EA6,SHA256=A1AF9C649A17BC98C5754D7335D9E56FA429B2F7911A3587EC94855D24629771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:45.735{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74826C4AA6FC31E2DF5A4D14C83B822,SHA256=9DFBD5301A622E770BFCD48EB977D7AC1E97D4B0A8437815A0B5B7CFC48A23CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:43.837{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:46.766{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE4100CEEC036CD07033346BCDF3B28,SHA256=688C03476991B769DA7083795ADF8DAE814B309029F2FB0B4BF22DFFB5191361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.783{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5951C53327A5CA0037DD94F84CD61,SHA256=61A006ACCC8B3ADD3EC706819F6C42A7DF8A29D479E8578196ACA9F6D8F6CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:47.009{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B11782F43F977807558A54193E6030,SHA256=1D852FAE5280F6AA82252958FF3B2D48B5C755856D79EE1455134A5BF5E3178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.634{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5420CD3532D226957F20D646AB57B789,SHA256=AD1DD6F5A90DFFF4894FC57AD10FD080EDC070B49932FDDAA8BDA0B35130E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:47.634{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C037BB463AAAE1FBC89D2DDBB621919,SHA256=7C7DD2787B1070994D3787A79D6A6D7200A8946BA8B3E029332EDD3EDF49265F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:46.570{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64323-false10.0.1.12-8000- 23542300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:48.802{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189622CA1434FE7167133DDF5C0A701D,SHA256=16FA46EC4FB8524A5947810480375FC234485D8E4DC1E693696D75245DD8FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:48.040{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B144EE55725EF92BBE199CBFF15D11A4,SHA256=5F10339CD73B0AFF450781D5393534F9CA717B779441354DAAFB3D17E290A005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:49.833{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A3929EC173CAD3A86F7C0FED673B6,SHA256=BAF167842F811E6C336B6410F4447C0E178B80E385DEE21B9AB1C91D6F522F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:49.053{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B60B94A67822E5DEA28C0E7F7E34C23,SHA256=5CBC6E26A516C069B40EF740F95D794A2072518D64DCBBD8D31552FB7603FB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:50.848{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62347C351E2D3EB1F93A1F2F87946E,SHA256=C894CA0F26C858A852D11A6F2D98DF4F1AFE6D5D91BCEBEE2204865F32AECE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:49.038{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:50.069{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227716B1063E8C0D551C4A16BF91DB4,SHA256=ED3743DEDEDD0AE4CB0D5429AE3921DF523D4C0B6E7782E3EC674337B226C1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:50.164{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8cef68.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:51.863{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F427D0E91552DE6C7D156AEB4ED263C7,SHA256=9C5E8B6ED298894B9E02AFF5F989DA9B870E50FF8E32CC90D18CC9759F638BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:51.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D970B24D2AB7B017DFCECAE6483108E9,SHA256=75803D6ACD4FC0B3FDE6EDAE286CEBFAB7D3786CE478915E50487C3DA03A9F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:52.875{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E98DEB13C832DE3443CD858DB6553A8,SHA256=125B5477CD908BB59B8B2C287B38837597A872F02E94B30D7D95EC071D5BAFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:52.131{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22999C5CA030FC9B89533F77DAB8EB86,SHA256=8A1126AA1E01957C3582B29C3872BF6FD66BB25F0D2719D86480ED6A3F4E90F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:53.899{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A446935E02D1D77B0BA422E0EA5F6C5E,SHA256=A7F191FAB65A3E42307504FA546A423FBEB50B0E08F9D9A6A72D8E5D197BD627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:53.147{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84999591CE266B7FBC19DFFF3C3563,SHA256=FF64634D410AC0970DAF68DC866173A9D620FD9A91EECD94B7FAD49408E95F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:54.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268DADA094F16EBF283DE40A02C6F7C0,SHA256=3F109F6F7F2FDAC9ED5AB7702702FE47394413D9826BE70B583C8D2D8176DDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:54.178{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B4E2598DD209AAA06C0DEA835785E0,SHA256=1EE9CA18AF3C4CE62C692E114AC4154422DE53078B254578B33023A9575D1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC073B8A109CE322D4921C887D9F60D,SHA256=D1773DA3581990BE317A8131FC8D4F587091D11FB58B02D2B85878EC7BB7D2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:55.241{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A65A38838A1E0FFE2F18CBE5D58A6E7,SHA256=571C46E8BA8969D022616B98885821C896BC66E024B3904383A2C8786309871F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.848{82A15F94-58A7-6112-1008-00000000E501}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.183{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.181{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.180{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.180{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.179{82A15F94-58A7-6112-0F08-00000000E501}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:52.613{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64324-false10.0.1.12-8000- 23542300x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBCC499BBA496ADF24C88913778D59F,SHA256=854186BB0E55A40EC64103217BCAB2674EB1C18597F90F9AEE34263B8154FBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:54.944{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:56.366{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7918366498FA19DD0299279580419BF,SHA256=92D17C17A4C61609E1D185329A300E72A3AC907BDE013E8E10F750E03AE2ECC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.514{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.515{82A15F94-58A8-6112-1108-00000000E501}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8141A987B09D66790B1F528AEDB2356A,SHA256=3B885CF772C076FC1F9E623E756FE784D0F00706D26107DC27E779741517AD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:56.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5420CD3532D226957F20D646AB57B789,SHA256=AD1DD6F5A90DFFF4894FC57AD10FD080EDC070B49932FDDAA8BDA0B35130E3E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:55.999{82A15F94-58A7-6112-1008-00000000E501}5966880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.962{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183C56D067D29BFACE15B7331AC61CC6,SHA256=F5DF2639369C788D1A5264EC80C78FF7C6898EA9B1A081C0CEAF3756B04581CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:57.381{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986B94B44C2076F2585BC07D710FAA27,SHA256=D9D941C6215D52674EB5E3F8013A1F26F90B420D2E0ECBD1C2F405B4DD08EE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.532{82A15F94-58A9-6112-1208-00000000E501}68084636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8141A987B09D66790B1F528AEDB2356A,SHA256=3B885CF772C076FC1F9E623E756FE784D0F00706D26107DC27E779741517AD3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.330{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:57.331{82A15F94-58A9-6112-1208-00000000E501}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:58.397{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F7ED09043832FBBCE1A9D93135F950,SHA256=C1D638720AF9F4A4AECACE3284788A6DBF36D883E569D7988E58F97A7D6D6552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.661{82A15F94-58AA-6112-1408-00000000E501}23362256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.514{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.516{82A15F94-58AA-6112-1408-00000000E501}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.246{82A15F94-58AA-6112-1308-00000000E501}67641104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.015{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.016{82A15F94-58AA-6112-1308-00000000E501}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:44:59.412{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55EF9013E55A76620D3A31EB66D7BD55,SHA256=1FB0A22C024F90FB64904E85E13BE3331976B3EB48CC2F24A9CA7B82BAB94D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.198{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.199{82A15F94-58AB-6112-1508-00000000E501}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.030{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4396E7D1926B50804DF509B6FAE2B5C2,SHA256=9A095CD17E033A0B9F829FFC9F6FAEDC03F5778C94F93AD99C5BE200C7BBF7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:59.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EB7F4C2491D8C4496BF79A8B47A8DB,SHA256=1148C226E08EB85EC1FAE1387992991589915373C0EB8E3744FD83CC356EF5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:00.412{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A972A0666A0074EC9035E4CAE5D06072,SHA256=65B05F489FE3BA177B34934F808E584048D5C9B8011F6489F6995EDBE9F47DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:00.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264DFDDA8F9BE2A31C267E6D6EE90762,SHA256=3D8EB195BA498B142138258F3FE8F392BD60EF8573AB6335DDC70B5FA6DDF2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:00.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C01C480EBD8E8AEFA14276843743BAE,SHA256=61F2EDD76EAAC485A968E6F8BEE15CE25489355FC777D9900D5938D1AB5E80CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:01.537{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CCAC15B4905AA2326B9FD2F27D130A,SHA256=35ED070AE5992FDDCC0597588B8E468344B6ED3B93602E4454E5DF7D96CFDC0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:44:58.565{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64325-false10.0.1.12-8000- 23542300x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:01.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5992FEAE716E2DD22326E34BBCD8,SHA256=48F23E2B37755334FDAD23A82ACBA3121D4F014EA7CB26D95FCBF4E8EF13FA6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:00.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:02.553{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187168431BD279DF363219F76B5E3CD6,SHA256=A048B2A86F731FBD3BA0CA2150ED17D01BA2AA3D4ECD18AADBB0E2AB0E6509E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:02.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D374F6472E5920F90D29B62A2ACF207,SHA256=348D384F94922537402EB110C468F290B606F79B1A60AB03AB4BAD63D0BD0EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:02.061{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=942757CFDD756C6CA2A04A20B17B4EC0,SHA256=2FA80B76EF62A49269566D69CE11420D7BEF304B37E29A85A1995F3A4ADEE69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.803{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.709{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF35BBC605D7D7BCE2BC23E70FBD219A,SHA256=5FD6EC266E41D93FFA495DD272B7E959E69B723C4AE2E68C832028091A4F2285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:03.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F581B495CCAE4121F68CC32EA29235BE,SHA256=E16E34E15AFC5ABA10D2A9290BACD497A7B48F7E55777F09BBCCBD1AE7392EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:04.709{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5111FF3ABBFEE0887E0AE491A6CB68,SHA256=5308BC9A3CDC4C596D61726C20468624F40F39DCC347E1B9BE0DC544665DA35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:04.078{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772CF8152B7056AB586E558027C6D064,SHA256=8F05318016582B396CF8699CF71689CE7034F336634117F89021F254020926BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:05.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A7007D87012A15D45C3F9CE72363CF,SHA256=0C728043397B179C9DCADDB19011109F65390D5B5ED0162956A367F3B110C809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.928{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:05.097{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B4B786FBAC47343401CD8C2EFB86E0,SHA256=5D395FFFD2C6A83CD1AB9F0D00C069757D4D6C6AAD78C9A76B4E6C3F6DA9BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:06.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38C04F63C4B5209A1BE12B3DD4321E,SHA256=432C374B3665973127B18C4A9BA4A126392E404502DBC648D053001CD79ED5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:06.612{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD9B8A0AA2903C4B9097F01EBB23A78,SHA256=AD45561AAA956F59B4EEFE878BAECFDA5EDD5A92129C023ECB3FF32733CF6B0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:03.580{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64326-false10.0.1.12-8000- 354300x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:03.569{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:07.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68323D004EB9B8BA59A9EBD1FA3388BD,SHA256=6579F0A27FA916C749F7A3E194AF19D305F7C7ED0743A425DF8F203C6BCCDE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:07.259{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4E459B13F814F0EAE8E8F24223BF3,SHA256=214CFD0385D71D4F08862EE8D64025FA35FF315902492677BFFFA76552E62258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:08.990{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2596F003DC85A24882064BA73DC23B3D,SHA256=F23D669F317E7C3B5C0BB36F2638582DF34ED92995A40293BD4821C14E0C3E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:08.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03053AF4CA5302E52C4FD46D54C60131,SHA256=0ED9D291E8CE72546EA7B2245E3FF7676B388359FD698956CD3A321E1851C952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:06.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:09.327{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94915BAEDFE0315C60EA4D61670ADB6D,SHA256=8E3F8871D0FD4330DA86AB3285C4A084F158C34E7D942A1ABC8B6064C46CC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:10.357{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888170655EC3707CDC53D97146A613CC,SHA256=0CA8DDB93616DCC5826D15657ED2E86A9519206661FC5BC900767BA25BEADB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:10.006{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C1365047FA911A9A4CC2DF43858E7,SHA256=8B8CE3D16516C8192F25DEDA5332F542BE4B863A92BD958424D70E1909BF9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:11.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A487554CB4163B2D9EFF2698E341D,SHA256=5EC0EA57E3E7E55C11BE3FAF0240663B707E15873A17F1EF8CF4A1E43989809B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:11.069{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8C2B444421309B7E3603B930C1D2C,SHA256=5D18383B8FEF40B444C51F8E76A2B9B95DAF4C9F06DD843740A495022032C561,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:09.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64327-false10.0.1.12-8000- 23542300x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:12.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E7ECF97863FC21A266759C4E49211,SHA256=4CEBFEBD09F069DD8F188B552550918719514727A13CEBDEF19F598A78B80FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:12.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9295B469A440CDE90826FDB4EB5AC932,SHA256=3303671014AA5DF71338D888127CEDB144AC97186E89D6495AAF4606ACB8073E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:13.440{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85FCFDEA96D2373621AA81280B14CF,SHA256=6AD87EEDCBFFA607FC5CFFE59E1389440972F1E3ECD1AC3C0A13E9AAB22D97D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.678{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.679{82855F7C-58B9-6112-8706-00000000E601}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:13.115{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B40AD790455516E487A1579CFC82E48,SHA256=CA992EE0FEB1F907E6D2CBD3B5BF0637BEC45F5C9170731DE27404E172FCC418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:14.455{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FFF8D9BBA3622E01748577BEDAEFB5,SHA256=B75ABA1C3D5A0D26F0D6989A1242D9A53979FE802740A93E07E2FA414A280FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CC236C5312534C1036DEDFE82D0FF1,SHA256=1E20D59C468CF81C4CE661F8D12DD08CC5E7023BB1BFB3B59791FDBE36D4118C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF554E22A50910FF0C89AB90275A4336,SHA256=52A7FA2E02F354E765633CC0E1E282E4D7F6E22F58C876F0EF160358C038FB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.772{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7955C309EF029213362E27B5D5B16599,SHA256=33FB2D5AC5DF83E4303A5B5C5A903551FB54A853F6B26C7F173C2369C5281900,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:12.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.350{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.351{82855F7C-58BA-6112-8806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:14.131{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38B8F51BA616B9EE59A9B638D4CCD8,SHA256=34D9A397CBF1F675D3D65A213F254322EB405D0E85F93D7AEBC89268A0A0414E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:15.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1A44E15CC3DE23CD9D5FFD57D8E52,SHA256=43C3BB2B5501E9B4E2357FCC7C8DF11233596365B6487EFC22F40FD8E63CF54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.209{82855F7C-58BB-6112-8906-00000000E601}15922524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.194{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D6B2EE7FAA89BDF002340CB67A9DE9,SHA256=E4CFAFD2AF4EA0E1D939BA787852A9C7778F0DAC9F4E9F35BBA6C4F680451D21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:15.022{82855F7C-58BB-6112-8906-00000000E601}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.491{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7FC393F7AD09D41C68DE9673B995EB,SHA256=415B60973A050F364E5362493906AF02B8FC4FD977185A5697DD7B8F2BB786D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.897{82855F7C-58BC-6112-8B06-00000000E601}38043036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.725{82855F7C-58BC-6112-8B06-00000000E601}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.241{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7483F0368E84992FBCA75B99242FFB5A,SHA256=2BCB6C3B98E91847C3DAB31617B221F951829911DD435C2EF68C00A7E6860448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.225{82855F7C-58BC-6112-8A06-00000000E601}28723232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.053{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.054{82855F7C-58BC-6112-8A06-00000000E601}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:16.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CC236C5312534C1036DEDFE82D0FF1,SHA256=1E20D59C468CF81C4CE661F8D12DD08CC5E7023BB1BFB3B59791FDBE36D4118C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935FD03973E69C6FB44B992532CF8BA1,SHA256=750BDD0CE756EBEE74D7763FC74D98CD7264404EC8F309BE3F628C3F3D64C5C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.397{82855F7C-58BD-6112-8C06-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.272{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15545F7AF6E897BE8A3485F4E8F173F8,SHA256=E162A14DE3C45BF24968CF223183EBACEEDD07CAB906F786D06CACE4B4EC7D9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:15.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64328-false10.0.1.12-8000- 23542300x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.207{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.138{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.122{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:45:17.122{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.19.95806897C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:45:17.122{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.19.95806897C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:17.084{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AF3FD4A09733D42B01AA49A7452D15,SHA256=59404517167956FAB84613D46CE5C5C9288D33804225879791924CCCA7988D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.631{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E29C9E0B38077A41109B5ACBA0D333C7,SHA256=3E7F27C988EF2CFBDBB5B5C0E09DD2A6E5C81348324C2B765245578F16131DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.631{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE87E98586C0E86EE1BA0D249DDC1B3,SHA256=4C5FBD907C989847148ED4B2D401C7FBA959B1F286FFF452A873EA62CCE8A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.537{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97EB6A847B9F0886719448DB45324E0,SHA256=9747C8272871BD24FB454EA2ACE8ED1987328449CFF5849A8D202CE049461D8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.561{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60543- 354300x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.559{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-15.attackrange.local62894-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 10341000x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.070{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.070{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.053{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.053{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.037{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.240{82855F7C-58BE-6112-8D06-00000000E601}8282704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.069{82855F7C-58BE-6112-8D06-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:19.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE35D8A4C30C260EBF0E8D0502650AA,SHA256=315453881E28FD73F1FD635B93B11F4E5A4870AA2B5A0BD29F1D4EBCAC3C6BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:19.552{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDF19007E1FE0A5A5A0B99E447616A0,SHA256=F5976A4806A09F869BC9A6E76028B94339785193AA4D48CA9BB35FBDCCD1EA08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.433{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64331-false192.229.233.50-443https 354300x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.433{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64330-false104.244.43.131-443https 354300x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.362{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53562- 354300x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.361{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51873- 354300x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:17.358{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local54964- 354300x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.663{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64329-false104.244.42.193-443https 22542200x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.563{82A15F94-3D89-6112-C804-00000000E501}6460twitter.com0104.244.42.129;104.244.42.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:16.562{82A15F94-3D89-6112-C804-00000000E501}6460twitter.com0::ffff:104.244.42.193;::ffff:104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:20.694{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BB00E583DE879E2CD77786BDDEEEC,SHA256=B5348BA9EFDA79A96167F682A3C8415BCA32C990D87F9068CEDEF6059095461B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:20.569{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4738E443876535F2469541E87003466,SHA256=A944E99715A0FBD6B552569DD5A6EF835D54DBBCD4B23084B24FE44DC373741F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:21.725{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251293845C9FF074CC924F44998AFC9E,SHA256=00A03EABA593709CF706DC902E1EE533906B75381AF534A513066DECC940BD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046905CDC6A41DE5FA2B7D653F9A2070,SHA256=E05CAC1A150A81F88FEC70D0BBD57B780BA9779BA67319AFF0DA75E92BFEBFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:18.943{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.840{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58417- 354300x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.840{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:2600:0:98f0:c1a4:8bde:ffff-58417-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:18.804{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local58417- 23542300x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:22.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1E6FC22B0D08B6A3366756DD17685E,SHA256=C0667B22388798FE8CBD66D0172CCF9D0B393C72B02A613AB9DA95EFB31E6716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:22.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22AFFEA27B230B390FFE42BC9406F85,SHA256=3A7D9EFEA64CEF3BAED5A2635BF36D69E58038260BC3A7B3B04DEBBBA2F400A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:19.239{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:500:200:0:0:0:0:b-53domain 23542300x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:23.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3194289DBF2B83281A763DB7C1E1CF1F,SHA256=1C59EF8885A88798AC991717BEE12FDB9E56ED2490A2DEDE64921FC696BB55E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:23.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336ED13378DD5D51936F59000F001E75,SHA256=5753D6208C357E5559BB95B51F7D8DA8DECE7044005DE77420BD32D077B87706,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.489{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64332-false10.0.1.12-8000- 23542300x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:24.823{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED47516FD8123EAE2B65A65F976011,SHA256=EA503D11ADE2BF20B3BD7ABB1BD7B9E33796B1F72751139A84915BEB135C39F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:24.787{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E01375E540C25168F8D91AFADFD70A,SHA256=B74CEAE0DE1A19C06FBAB89BD235C9681D45D72769A367770722CB24909EC5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:22.236{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-55581-false127.0.0.1-53domain 354300x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.904{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55581- 354300x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:21.873{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local55581- 23542300x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:25.850{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F3530CA360E28DB30EB38B48D101AF,SHA256=73AA5FE5FB3E9B1DFA1AA8560B101984F944D25E24C385B2BBF08969D2498F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:25.838{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25E709BF3DA9B9AC94D41EF35793EF,SHA256=47DC585C10DFD2FF38A2182AC151CF229C1A22D1A419B6193A3F2CF4564EC262,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:23.073{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:503:ba3e:0:0:0:2:30-53domain 23542300x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:26.865{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1942C5C6D78DE0F9D85EBB655C4EF32,SHA256=22C48BCA610A5900D7D60FC3081CBB10D1C651F53F58C86A4C1BE49543124196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.839{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75524195AA82A34AD48FB035F40AB94,SHA256=7E4CEDBF48A6BD6EDA9A86D5F2565AAAB89E98B4FF9988C7C864251D2A3AA0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:27.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB01E8CD54CEAF3AB8527518D26157A,SHA256=062E9EFD889B8FF52733B7694650A8A192FF7803E492AA86AD2A8ECC529A5CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:27.912{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E533F67A0216C753736354732ABA0EDC,SHA256=1B0D819B25183F04D1D2B375B07E8E48E67BD7F8784B4A7A67E55C53706DAB1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:24.958{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50600- 23542300x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:28.872{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9825563ED8CE58DB1C2524C2D4AEA392,SHA256=4F00B1FA5C36BC2CDA49B412B66A8BC073DDB286E2E321BBADDF3C3C9B36E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:28.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103ED90FCE8E77E82E51A9D1342BC0B9,SHA256=708E59E7190EBC5451697E5C3A0C7B0FE4A435667F46FC9F2627D344EB6A2A08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:24.865{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:29.891{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB5A81B039D0F23DC10492DBAF1CBF2,SHA256=7CBCFC27A72539D43DA6ED094CB0C76462745182D0618D7D194B50383232847A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.690{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-65441-true2001:500:a8:0:0:0:0:ee.root-servers.net53domain 354300x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:26.490{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64333-false10.0.1.12-8000- 23542300x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:30.921{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1359D017FEA3FD62790D1094C70C2B7F,SHA256=764FB9E170DBCCD6FA1EA66AAB6DEC8068717021A045FDDBD78DA6C101BC27C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:30.011{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FDF48BAA0A9DAD4DE4AD6D26EC9848,SHA256=EB6214FAD08E57BAC12BB255DD21D1C75D085C597AAA502EF91B53CFCF4CA001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.952{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85338CA0EA923DB69E4A4F346ABC400,SHA256=614A32C04B55ABF9A2874978978D6CF012DF32808D53A8AA488C40A9008C9D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:31.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BC4566E9C960C061ED2EBF7037D595,SHA256=2CAC98C1BEDD12337524D3F0162D7754E05DDE26A9F8D299CF061E8B389D050D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.453{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6C19FB6AD68C3170E26792ACDA700079,SHA256=DA01D5F0E4696C8A40F8D6D0D5C2E17D6A6EB744941B645C3B5C805682353998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.453{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4250B8C25F2D5F0AF62998F786358D20,SHA256=7FD0CFF92E8A68CC058CDA040BCDAEAEA26158CD3F63CF799B6CAABDF5926A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.970{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B21D2E8932E76F15D1273DA3B2C100,SHA256=65ABE18B6464000AFD7C5E16F4F628AD50EEABB0DE6BC11FD3DC9F42E53C341B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:30.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:32.074{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9C43E5A134730A12CDACD79F1D6A0A,SHA256=16101B06C7A1FDB11B287A2CD5D0112E3F660E9F4A99C2C72189AAAEE7E816B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.920{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCBD6DAF0551442E4AD28948A7D9901,SHA256=360FA86B10E6374931355ACC2F8E36449717E4A46054AB2EC646C22BCBFF983A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.920{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB333F2BB977E984CE8053AFC975889,SHA256=32BB506ABEB6C4AEAE1FEF77BB8D3F2C6EBD387A01AC551B93D3EA853AD8973F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.325{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.325{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64334-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:33.436{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:33.020{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:33.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FEB099125B101DF157BAB5486D1BDC,SHA256=361DD3590CC2ED08DC0D824F550558A166666A338831F883EEFFC692080E8F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:31.641{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64335-false10.0.1.12-8000- 23542300x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:34.004{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B606639DD0822B7349CA85016CF0C1,SHA256=37DDF2E90D5120818BFDDB88911F6585370E7135AA7211BF3EDC0D849ABB7FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:34.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1489F8E705461E480F564FE54587EAF5,SHA256=A0A7C03E33B1644505ECBBC9CBCDD39535DCD4787F8AAA9E48FAE293A466E12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:35.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4285ACCE1B9D78830ED91835A7852377,SHA256=F7DB27237F58ED6689D87E358103A8F182E703D74F1613623342423CEA9EEBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:35.020{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00543BE606CD5B719C529955E735AA8,SHA256=4D01D8A924ED02470B98BC4555049F6415AF9155AC386A8897C5980667E57C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:36.198{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D72186CC5971B767119AE831F3A57A,SHA256=7A4BFADBCCDEBE7B8FD47EFD1B2273587B60D4F4A71D1DA5096B5DEBEF77A0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:36.035{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEABDEED3DD74D03E9CE0F28ADFFD7E0,SHA256=792F7FF5AD3BE7CEE48DE11C29BE7ACC3BBA91C5840358BA8B6928AC686F5D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:32.856{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64336-false10.0.1.12-8089- 354300x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:35.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:37.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720DE4D4B14B8BB75EFEBBC8566C69D3,SHA256=238D2417F67968B70E7B20EF9EEA138668ED3A3049B3C222F143EF1622772251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:37.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE22EFF0035D642511070CB91369690A,SHA256=3467DF835EF8DA9B0309DB67F3A286817FF5E019FFAF907D1C41810BB214B2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:38.067{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33327DB92179078034F12F8E5902DB6,SHA256=67A6B440DA56B5D12D81D12968E87A8014E0BE28BCD38E7D39685764863CF01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:38.214{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECEF1A1E820E9E7441A6C497FEAD2B,SHA256=3CACA31FAD29B71715B7EA38F3117280A655FE7B11D451C5500A9FEED6A65B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:39.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9526C40B49077F50DAD2A33BDA62BC55,SHA256=2A5F05B827D54E6407703D4C2FB1769180F5A0900B2ECD82BAD000F2FD5AAD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:39.230{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4F2AEC4BE06B7BEFAB8AF293953A3,SHA256=4723A3A534CE2F62848EA10A56E39644383CF1E4DB7B106C5C33A5181DD9D43B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:37.584{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64337-false10.0.1.12-8000- 23542300x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:40.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB0059A96CF151D5094887BC15AE207,SHA256=73E5BE0FFA01638AF2D06B65A2BD1D62E46EB44994588A6A90129F09F1BA1FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:40.245{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DA1FA08BA33670919BC294AE159166,SHA256=7B609F49B5CFA13866CE0B543150376372A30B14E69443DA89D57A2C9C7D9B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:41.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5130CD243BF4F379D31ADC0AC611847B,SHA256=4E99AB51BDCE95FDCA186A851F03B66DFE993257F0345D8F668D9088E5040B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:41.278{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E867BC508473449C7D7262E391921,SHA256=5EC8A044A1F43C38D0B45B334B492368F41743F3B91AF6E4245EA395436A0F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:42.306{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3404F75C59AFB3D0C07A5F6C50E867B,SHA256=D2AC4F8E76ED46B8CD374DB6581D3D8F9E0D4A5F03576A0271DB11604D891EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:42.273{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB14C9E65D4347F17156B53ADC4C5932,SHA256=56E01E3507D0A52353FC043089E185F869B7CBBEF8E71667F249CC0FEE136A2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:41.883{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:43.370{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5974FE61139EC997DB19B476A61121A,SHA256=B9C960994106164810F4B313AF394750DF02BF5274AB3423795EF25FDB309FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:43.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220039E074C1361C2F22E2275CE7FD56,SHA256=698FA5E491EB52A21374D2ECD617F5D7EA5119FFE3D2152B9AA6F183B1CE82BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:44.386{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A354C72FE47200F9A0E1F784E8328A,SHA256=F99A178724CD7655501DD77300F6BF4575810EC91F09462A550367B76E4F9EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:44.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A52E5A05B8661CC2D43BB41AE56CF7D,SHA256=432FC69BAB0066A70982E3549128CB43069E72B1C07A32B2A57BD22AA536C543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:45.448{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB0DC76AB0A2F424493C1F1C43B8F2,SHA256=795F666251735340975B61CEF44E6182CD16B8EF9EA392A02B91DDB410D90682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:45.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B836B0694E21CDB9C6C4D08BC7A073,SHA256=00B6F9B0499A89D8862681C0F07595B31D3F0020E75C1D29F52BFADAA9CEECC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:46.480{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91640941A90482F25AC1EC0F2234B890,SHA256=FF80F7BA21612F11A0BA52494FFBA3DD4F85B1F8173748D2879B0B4FA1F1F776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:46.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25153FAEDA1E7FA9374C9DB87EFE7639,SHA256=04DB3FE3B3D1DB6BDF19708D8AF9D9BF3D806D13B6A70C651EDF93BE4F616F27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:43.489{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64338-false10.0.1.12-8000- 23542300x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:47.495{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B45057993B09B6D7DC7B65824B1FD44,SHA256=084847C16682C0B4821FE1EC79FB947364F707219DCC61ECBFECE27C7F481B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:47.452{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589AF68557FEC3C57ECD48F38671FCFF,SHA256=6AB37BBF7C012591ABA340EA60DF911C5206C01C1288D3E3BCD978E4C0AADD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:46.917{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:48.526{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00ECB9C4434D2056BF59BF330477C73,SHA256=1151F2F9988C9D64685A72392DF239119D4522AD32E8952485309212563EE39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:48.471{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA8195FA598DB09353E0053F5D1AFFA,SHA256=577725CC9491E0DF1202F7E5B456BA5AABF6A5A6A9BB62D3E6D8B6A4A1ED00B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:49.542{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD77C7FB1367D0ABCB44BA57D1D8E69,SHA256=706842849847CDB0216DFC784A42EA48456B8DA5A4B45A03F5B72ACCE5E1627B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:49.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01DAF769E0F2465634F71ACAD1F48A,SHA256=AF1794812F110C4940C75D9BE294163451457878643484EF70E012FAD80990DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:50.557{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA9FCB3ACDE1794EC3C87182D0602D2,SHA256=6FE11E7E70EA6F352E6D8AA1197ADB4ACED3150E3F9B90AB897912FDB44EA5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:50.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4C3A357A830014F02C59C733029072,SHA256=AC3EC258B49DE695D1EF13634BA99839A4E3B4B888531A88EA1CF17DC7AC7A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:51.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF31D2FD46BB62E750FB32F829CA331,SHA256=BE210D87236F1545F7CC1961CFC120D3AD198973142ED48485C6C76C5355FD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:51.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CDEB19EFB3ED381A7A341910594FC6,SHA256=00164C0332330DE7AE9DC3B4DD68D5A73438F39119DC1540484F72868FB233E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:49.503{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64339-false10.0.1.12-8000- 23542300x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:52.591{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB7D20D0D26F6A3606D86BDF3FD96A,SHA256=4E947038D8F0CB54DF4558E0E4CD8F8C76C792FC366B420CF127EC83FA587E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:52.620{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2970361BC28FFF61629E05BD5EE4FB53,SHA256=6547E6F552C3230FFAD2406014AEA28F62ABE2AB2E1A0FBFF39F82389232D65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:53.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9AB9316F5C718627551EF9A595E39,SHA256=E145A4DB96A1CDAA83B941B3036B92C6AFDE15CDAECF60B9A803AC892E6C5E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:53.635{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566870A92A74D7F705054F7E9AF24E04,SHA256=FEAB700A88886C09C7345BED17BCCD228166A9CBA4470E2AE58558F869E5B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:54.651{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8A542FA72BF8867BA55488F70031F9,SHA256=A6581AC412977AEB45CABA030F1E060DA52063AB2D011E2067C9ED2E5E782227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:54.638{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A249BCB2E6A2583FDD14F4893FB3C6B,SHA256=B2280D3B28C4684236BCD308C26509308CDD4840B66D12F347DFA4F28F979786,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:51.994{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:55.682{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83FA6F0BF29F9187D1022E03E91E6EC,SHA256=7745392F1AFD7CD52FAD5DE8B498900D1614E8A673A3D449A95DF1F25F4E1CBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.937{82A15F94-58E3-6112-1708-00000000E501}39925656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.774{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.772{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.771{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.771{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.770{82A15F94-58E3-6112-1708-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.653{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F95A0994F8E8D86EED547EC4C6316C9,SHA256=99818A0AA04203C93EB8F9116DAE2BB850F4F1EBE3F1133B89A5E43777663F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.153{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:55.154{82A15F94-58E3-6112-1608-00000000E501}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:56.729{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81D78D3B7D52BC058BAC692631B753B,SHA256=53228FA1280561A046176721365523B899E096A58AE4E230B2DE9EED3FD26DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.675{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476575756EF508DD9624598EBCDC58CC,SHA256=8C33BF0C8E59B6343774E3B3080C7E2FEB4EB081D7FB8E0EB9B13EB3533628F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.391{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.392{82A15F94-58E4-6112-1808-00000000E501}5944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A601E72C73A1BF82667E2D0E798BA6,SHA256=6295DA4E290F4B79E39B34EA690201E5001C7FE5383723F04C085785A9D700A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:56.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCBD6DAF0551442E4AD28948A7D9901,SHA256=360FA86B10E6374931355ACC2F8E36449717E4A46054AB2EC646C22BCBFF983A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.838{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.839{82A15F94-58E5-6112-1A08-00000000E501}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41649905841EE0B280F2A1D9D6E835,SHA256=1C56BE2E34A6C0975D1EC6C083464FF6E26BB106BB8B0591C6ED87576432471B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:57.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908789EEEEE8D9FF5BC7A070089E25BA,SHA256=A1DED156714E172FEB945D05F5F7DD5CAA32835460B7C566C8AC8A039B3E974C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.538{82A15F94-58E5-6112-1908-00000000E501}29446164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.406{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A601E72C73A1BF82667E2D0E798BA6,SHA256=6295DA4E290F4B79E39B34EA690201E5001C7FE5383723F04C085785A9D700A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.337{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:57.339{82A15F94-58E5-6112-1908-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:54.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64340-false10.0.1.12-8000- 23542300x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:58.823{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3897929F13D8338281ED4AF3C20613,SHA256=436A2908E321C4349C19A4CA3932F82E243A5147940AA0AC3B03BC84FAAC96AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.928{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.929{82A15F94-58E6-6112-1C08-00000000E501}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.843{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20584C75628BD64F9B0EAEA5E1064B4B,SHA256=E57646D1DEFB6E0D9453D7294ADED7012FB2BC3B726B8A97270DD8D67739A807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.743{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACCD173845A6DF7C62015F451198068,SHA256=9618C63B98F0F2F52786F0E45165EF549D37BEA951E3A082E02C880A6E4D6723,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.512{82A15F94-58E6-6112-1B08-00000000E501}48205932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.343{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.344{82A15F94-58E6-6112-1B08-00000000E501}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:58.075{82A15F94-58E5-6112-1A08-00000000E501}67886664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:59.870{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82096B83D034633604A502C9E9ECC884,SHA256=6622409630D840786C52BFD8026CA12E01216C8A759092EE69D002CB05A7638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:59.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C7BB254D9B4E2BD280CA7CAE71144E,SHA256=4315354C449D0C15F84054C3F35D4982E25C38C2BB9AFF7B8AA0374E7DA16448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:45:59.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E4C79B4F98C93D1325021D182B4986,SHA256=1E91CAB5A790A475D78558098B7394D36D97E415E145EAF3F3827E623980D662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:00.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5787B573066F040284278183E1A263F,SHA256=88CC33AB3D4B0BC1F1FFA680ECB9D6025A73E7F44A7225E1F15FD0213F2DB3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:00.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0D6E8E689A91C896FD5D3964831687,SHA256=1A28208BDF9DB79C41C834B1C4DA5C501855D9548566AB75408C06FFED223856,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:45:57.933{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:01.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A7A9621D760A94BBE39BA80E4D83EB,SHA256=86D6BFFBF66EC5A10A6A6B13E8736485F594F974BCFBF7AEA6888A4DBA1A163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:01.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498253BD02F0F5A8F5ADFFBD252BC7A,SHA256=E996001F41E77B2B1BF0FDE0A473CC3F688D16D63A61B3C1D4AC510A8C6D3AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:02.897{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588AD49004E23FF31B29FE50B5222B6,SHA256=FB86ABF4527A41F83422C5731AA3C36B58025271185F812844A2B4B38EFAFF6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:00.549{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64341-false10.0.1.12-8000- 23542300x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:02.076{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C4CFCEEEA7FD8D70047F4379A4D98DE,SHA256=2C98DA26923E6936140C1B9573C3622E57B5DD96E8C3D60F11993929E39C2475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:03.912{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD588C3CEEF44842CD8ED89B1DAF7F3,SHA256=19D82E408D179CF594E892561B5FF39696B42C93F62F96B9152E386715C28E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.823{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.010{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D553D933A3A21BADD272F917B62CF3,SHA256=424B31ABDEC4F62BBBE9AB0DBD064501C07C68C7880223493ED1B3AFE949AD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:04.912{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:02.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:04.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757B6515256E9779F713E1C6C6375F9F,SHA256=9693E530549B51803FD79D398B857EFE83BE913304B454A226815A6C43C8D64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:05.928{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E3161D0EFF7EEBD352CAC2368FDC9,SHA256=FD8C904F7A9EF38FAE706A7C037F145741265E06576F18C2FD3E9D347C574736,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:03.588{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:05.088{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDAC31FBF434C10BCF8AF5520F2C473,SHA256=75382F35F968568DC1909E62DB46493CCD8C3593DDADDA38FFA9891C8B69B624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:06.944{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:06.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BBA939A21245240B9B8E66EF81EA08,SHA256=54798D052B1E37D0B26A8CF6C156A21B769855FF89534A1CFAC7CC53516DB802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:07.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEC89CB9753D05388223772324815,SHA256=53D2B9122AB2EB020C38ED3FBF019C634C3D0D9190792FE714F8A9AF0EF05784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:07.213{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6E0F6F40993BA1CB78FDF5218E45D3,SHA256=8C6D78B3097078AC0AC5C4BC9C01D61EAD762FD4EF9A11D808FC2A79F16FB99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:05.694{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64342-false10.0.1.12-8000- 23542300x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:08.260{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEEDDEB0B6801B1EB961053579AFF97,SHA256=A670FC44BAEB8883D781BF9014F72FEA616CBB7288DA2D487E2A6B8F85ACE830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:09.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAE09A55E8B4B4F68DA066A13FC9A7B,SHA256=8C117CB0184507E809CEF9529E0CA383DC30D425FAA9B5CD0C641ABD006C67F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:09.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:09.009{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:10.307{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78B70AECCCE44C1D39536A52A54811D,SHA256=24F9DFA936E385667CBA1FB8BEF4ED77CE4C334751B9E13603FE1DE7C0850394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:10.028{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:11.322{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B722D8C8B8D33E2F813028F3DE521E,SHA256=7BF50EC913484E698620D5E7BA8836F9F42149E3F86C42472C078AE1B8222EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:11.077{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:12.369{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52579038077063C10D90A3CA9E682876,SHA256=28F6827D3B81DE21E6A8A4DD0FC07029B903AC7F3D41B76FB0A3C7D44274E482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:12.595{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=BC882B9C9280F4F567F3E30542A35F49,SHA256=8EE5FA20E96ABE975F80BB029BDE2CC936784B88B8C3A7484322F99835F0F1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:12.111{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.666{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.667{82855F7C-58F5-6112-8E06-00000000E601}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:13.401{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0535F25BDEAE16BCDC841027442B6715,SHA256=7C26E98BCDFBE2D7AF8408E97D94212EA56BA0DA724D7D1F6E683192630AC085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:11.646{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64343-false10.0.1.12-8000- 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:13.126{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.854{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.855{82855F7C-58F6-6112-9006-00000000E601}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.776{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=464A74BE46A4E99CD4B372549C1692DB,SHA256=6EE193089DE2BA643E228A4D9014909AA82930CBD8BF4BA465E28941F9023B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB952A44C77FB9FA52DC1791975770D2,SHA256=A84123C7DCB57A918EAD6D87FABCB9585373283FAE4248AB0D45803E4BE50A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FA4751F3370EFDAB9F1327A5A6DCA25,SHA256=F181824F14C289371038084A3F02B41A2463AA6A0848697B20BE9F6E3F5C9074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.494{82855F7C-58F6-6112-8F06-00000000E601}684172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.494{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6D71035683E0CAA2AA9DC811EA1912,SHA256=A8256226F46B1124DD1880DCE3482121BB8B62AA8246C1183644D4805EDA4C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:14.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.338{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:14.339{82855F7C-58F6-6112-8F06-00000000E601}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 154100x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.996{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB952A44C77FB9FA52DC1791975770D2,SHA256=A84123C7DCB57A918EAD6D87FABCB9585373283FAE4248AB0D45803E4BE50A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.557{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1680B915C8C6877CD85F1B5F9DFB7C95,SHA256=4AEBD58BB75FA790CFA24A7BB0251E77B7A6826B53542A0CBF7E16C0DCD6ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:15.156{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0206864681750BD7BC95CAF9664250F,SHA256=0A6FCF96CC86A3FEA264700F89DF77C141C572CC0E7BEA9398F4180DB90DD8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.009{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.666{82855F7C-58F8-6112-9206-00000000E601}27243132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.619{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C453BDABA07E63F70F3AC8AAAB497EEF,SHA256=16A1FD58BBC73F852B92560FD291A58819181F56B20ABAB8EDEA0D1ADAEC443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:16.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101818A329F48EEC1D148AFB20704AC,SHA256=88D0097D744D921077551D035EA7AEF096A1C663166218AF07AD60DF94B3B5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.494{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.495{82855F7C-58F8-6112-9206-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:16.244{82855F7C-58F7-6112-9106-00000000E601}6682684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:15.994{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F7-6112-9106-00000000E601}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.838{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.839{82855F7C-58F9-6112-9406-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04454344B049904A5892956516C6155C,SHA256=A51CFC0051CE11AE064283F556061AE77821E53EF5D1738B8FFB386217AE84EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:17.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E4631101C659152EA58DDAC54CCA2D,SHA256=47B1F6D2272A25E2F1C266750BE198DA6D6E5FEA59AA93F95977A6D7657032C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.322{82855F7C-58F9-6112-9306-00000000E601}24961344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.166{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.167{82855F7C-58F9-6112-9306-00000000E601}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.057{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:17.026{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18448691FDC74B8EA05C392A205466A1,SHA256=0AE0094046DCC20D3D0464F9069E8E20728F4E0648349ACF8DEF0E8C7A1B9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:18.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1366DB808069F8DB38AB31920D45DA,SHA256=7914B8F6103CD4B21564E0EE43648F1936F0357C8E422CDAE1BE4F638F5A33AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.553{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:46:18.506{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.58.180477827C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:46:18.506{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.58.180477827C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:18.207{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:18.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158464C845124590E681AF301F46C6A3,SHA256=8917E41860550E0E55AF17A39678BDD5B806AD7FD815FF5F25D751D5AF9A3745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:19.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A36DA4A9881C6543D83D7E16A54D65,SHA256=1AB49646E5198821D1D844792AEFA83697A3DB41CA9FA9AA32CF350A1D5FE65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=8D481AF18541A3FB428C6EA1A5D1F7CF,SHA256=D403DDCB1406C863D49E8733FBF5B9781515D073FC9E8FF0C43602207A4F6885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4CF56037BC43880A18E24322FA80BA75,SHA256=82FFB45E384DE7C441B73912D0C153D11DE0715A397F69EA76F2FDBF05194EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6F20206A5EB7026139F208D1418B3BAE,SHA256=C61A8E5CD6E85F9FF2DCF3643727E10EAC20D38295DB55AA9F8220E93383BED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BA0309C2C0C7AE4863520D98BDFCC0C4,SHA256=21E611F12D01A1F55B08EEBB1B88F28E542617D47A508BBD1C4F314CF2AA032C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=AE8B5174E37771726CAE3D0BCBD3BAFB,SHA256=B77FB068F6EE1D58D3D16D7717176FED631602213FCBD49098B7BBEB5BF733C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=859B706DF9A4BF3DA3F92D0032852801,SHA256=80CC0E5B4A6D358191843F522590334C828493E1CC0310928CD0B751E75E575C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.891{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9B50F8A39D1D241636983D856F4703A6,SHA256=CF539CDE8A254E02BEFC03290B09BCFC7D4BEA7CDD52DACE022DC0D6F20F45E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:17.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64344-false10.0.1.12-8000- 23542300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:19.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E83B3DEE815309564671CF85727EF,SHA256=042AC1C8C36CDF065AE567A1CC97637C0D381FD49E38410534F15E8F404F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:20.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AE4AB1DEBEBD085FBA2A8ED6340F07,SHA256=46810DCAAAD34DBFCD0DB5BBC75B4956F4DDE4FDF80E8891F027A5499EE5A16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:20.322{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB139CBD6C118AA054242E599C64B8BB,SHA256=55FF7998DD5E15FCB3EC2CB321AC49FF9D39EFE68E02D738317C5575CB18DF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:21.791{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD803D8E7701988F8187DD485D32ED71,SHA256=022536C73C3F4EEFE4B14921EAA955846D8592B2934A7BDBA1A858725FF938B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:21.337{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5588C9FE049076F8B39B81AF661F16,SHA256=B2FD02D07DDB32B8E9A5E286254BF4BD8CE626BF99E607741FBC29A12841D0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:22.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757215223023BD67027913DA0C7B293A,SHA256=EB32B6F0EA5BF6304DC1C8E3D09A0CCE573F917AB1C3671A62A57675FF33B56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:22.405{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615BDD9D943E3DFDD0592CD03C0B44,SHA256=79FFA7C32CEC7241045F867E09BA85C6278CADBF276014D7751D73BE96056794,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086c8c2) 13241300x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x93abee88) 13241300x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xf5705688) 13241300x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x5734be88) 13241300x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0086c8c2) 13241300x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcc-0x93abee88) 13241300x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd4-0xf5705688) 13241300x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:46:22.713{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0x5734be88) 23542300x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:23.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D8E0A7BA50C31951C335B71AC687E,SHA256=421A1BEEE8EC65D92C1A90CABF1E8EE4D25842A07DD82263FB0034B7B88DC7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:23.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F631E32CEECCD9CE56280368045A23,SHA256=5E54B88B240760D714B32283EB7C3D17F6B7866EF38894405E84D5252271DD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:20.993{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:24.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54DA368CF6E9B22FBA9BB549EE374D,SHA256=ED05335D85C33EC2A58D990CC6AAA66AF6CF6F1C6A18036FD80F0714E45E3A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:24.435{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C760536046DA1813D90FE13185190200,SHA256=CC7816208245CDC77969FB459D228DABC84C4F60C857E7A1236873CCA0822BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:25.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E89A3AAE6266904613E16513A7FD20,SHA256=69D6A593366A14191B9591B4DC728E679E16DE0F9BBEF3EE21311793F563CBB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:23.555{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64345-false10.0.1.12-8000- 23542300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:25.468{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E218E45B3C9E66728019506A286E32,SHA256=94E174013FC9BED2AC8F707FDDCA9E9E1529AB4428A724DC216949032FFBBD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:26.916{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D522F20018E79A66F646BAE59FE55865,SHA256=E941091D1EF09F5065A1EA498D0A4C3D6F9311E418BFDDD84A84ECB9E27EF9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:26.518{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF429E4381071BDF42152672A34F8D,SHA256=EB3B87C7B100C699911B274792F3B430A45F83C5ACAC6D4EA4040011F9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:27.994{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407D2A58607F4FE6C8DEE1BBA9BD8598,SHA256=771E65C913A88E185DC419FAA1383B463F2480E0F23204CCED348A2700A23789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:27.567{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B86AE5C5A64394F87F57E25825DC02,SHA256=C40CD69291C121E8C4789C3100EE5EE0ED09B46A67D4BA81BDDD42B8F8E0F47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:28.995{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94C100E8986623A764E3EB7275191C,SHA256=640397B9E5E70B79E26834B1AE984FA8327DF37BE7382DC051649F19017C9BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:28.586{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140A0B13225AACE556AB390FD297063D,SHA256=EE111A406EF5F8833D8FC7DFC785CDE87C84F8F302EC035DCA48B3F303BB4294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:26.900{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:29.616{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4435EA8AE353043651E58AAFC8ED9,SHA256=141929A05265D2396530964A956FCF545253067B4011EBB4C7FDD03AEB0EC2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:30.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C38D61F1BDE8B9DE97952CB4DD2798,SHA256=74853ED8262D3C9BBDBAFEB98EBAE1EACA018905B10362D0270987175AAA843B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:30.026{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B460E3596F4792621C1F27C77145D6,SHA256=AF2E973A7B89FB527E9428336C0C0F921D187CA4CA9A0018D70AB91C9B9CD47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:30.591{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.637{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ABDF22332A90CA519D7BD0779C2BEB,SHA256=98ED87032345F3E6CB1ACC83442C46D256C46C3510413D4951CCB8EDD5231496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:31.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DCE89848ECA80B88F87D0B77DD893C,SHA256=7D4161B5A827DF5641B92F63520D52C68BFCC5AC6A5FA613C43687720B2DE60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFA484483DB904D0A00C71DD6301110,SHA256=B742FD6CA5560FE97FC7E74015986325E0D265BDDB8D53CB60ADCB5438980931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB61838F1F4BCCFDC2AB63288C33622,SHA256=EDBC8DD531F35F3CA9DE386F1D9DB8B8689C22B8E93AD6D278EB571A18A5B7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.670{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB27597036F3F34494A61CDCA6AAF2A,SHA256=A270EA8CF32FF90EA7A00CEA35B8C9077915BC0D62A5249ED613AE85BE42D7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:32.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9C7330CCB2DD29242DF3819DA8280,SHA256=663E80B50E4353A7A4EF5CCB2D7A78C760DCFB078D9481FD15EADCB943D4DE0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:29.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64346-false10.0.1.12-8000- 23542300x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:33.751{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF435027F5B45D03896B0B8BC33D25BF,SHA256=FF99D4B7FB56CAD63221A6DB3964A32D68B5E98CAA0585ACEA75024E8AE7660C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:31.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:33.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2D0C94ACE9F1E00B0A7D4C321FBA6C,SHA256=E91752C2EEEDC88F29ADB5A8F607FB8C16F5407A4ACA5E355C44D626641043D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:33.472{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:32.888{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64348-false10.0.1.12-8089- 354300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.341{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64347-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:31.341{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64347-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:34.804{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F8D72DCC25AB5F9A9CBC8631AB6BF,SHA256=BDA68C50220E23192E1E6F3703CB0024BE92929281674EBCBE5F925E4514E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:34.136{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EB9339ACCD0690A052C9F96D24A869,SHA256=1791A93CB394943ACF399451332656DEECD17C04A7E2BD6D587333A64C4096A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:35.835{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AA8B6B7279B320FE9B28D9B0DA0E2C,SHA256=E1A0C32C381B48FB22DDF47E7277CC57031CFC5D09BDE623BE566F8A222FE2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:35.167{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFCC473A030F3AAAEC09B45EFA716DB,SHA256=1AFADA623E563E27104C61F23C7A6B77CE3431ACB6778B45175E2639E83F127B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:36.836{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6668D9FD06108A3656FC8977AAA966,SHA256=2ECB3C480EBA505E3071B3C9F4C78717FA294C0A9C056740531532F56297BB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:36.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9FB4FBB0594B5C9F723D8CCCAB4526,SHA256=2405CECCC159CD030A47344382F771CBF611BE2B16CE4182EE164F9BF2E20665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:37.851{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF2E0AD14CB79A28453CFBFF10227FD,SHA256=1EEC6E5F57D5EC1AFC69A60E1A046E93677AF2E5120D2A0B71629A60B17976E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:37.198{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603507B28FFF4FC24DECB134F61B4ECE,SHA256=DCA2268025EB72CE8918F21A36209A9B6FB1C0BF3BAFECB5E37B30000A224716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:38.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C396CBD47CAE8EE8018E991EC0DC79,SHA256=B6E4DDBA87439303FFCE3DC604788D0A7F074044A0B8E1613DA9DF6226ADABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:38.261{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988B6849CA24FCF71A45B9A9BD7FB310,SHA256=8F759F3712C5F01588AE7986F8AD833CA6AB683EF52F4CA292559AABF1C173AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:35.523{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64349-false10.0.1.12-8000- 23542300x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:39.888{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3C54FFFD21DA251D6D621FF7A4EFE,SHA256=4F3E507D0E395BBB5000421CCA2AE50B3780369D4F0B499864B6286918228C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:37.885{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:39.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12655548D116CD4CF5C85F2E8A5EC1C,SHA256=74FEFA3BF8D4A127EB14B3FCA536751078344D4B4E378C2ABBDC4FBB9F1A9BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:40.889{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1642B00969CDE2B983CCB91AB4A598B,SHA256=95F24CC3CE572B10BE3EE0A1D1D914E4A8FE0C5801E7E2634DBCC79F4AD54AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:40.292{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6DEC1A8685A2EF6A84CD1F16ACAC86,SHA256=32F0CAB61697A3A5DC81AA54A954F9579E0D858512FA51DF89BF12AE0BCBA8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:41.905{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2A36E1619304CA1505012FF30B6796,SHA256=64AFC9ED1AB845D4E6B72FA58927C0CB05EFF65C22601F1F3DBCC3852867BCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:41.292{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB27A3A716F05B0B2B2F9311847CC9FA,SHA256=3DE60F037D67D469BE7212C00A00219BFB826AE9CE2B19EADABB4DFD85E33A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:42.919{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE61532E9DF5EC881EDAE4FA31CD1E60,SHA256=D10D290BE7314C4AA1003D3D03D2175FE785785A4F3EA2943D885BC085F60347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:42.293{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF232BC1F9F98E8096F6D64D738D1D04,SHA256=B0CFAA965B008F7BBC4E740037BABA2E630C9442FE4D5C577291C71A01C8034C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:43.934{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31BBD3AEA47F9E566B4F67F0DD27A8,SHA256=60B903E7ADF1BF0BD17AEE38A833ED2D97D2F4F74467C19A4101633B6BC6A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:43.305{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3118E19008A99E0D0A25DD0484E36D2,SHA256=B1A17FE89538BF3F9CE4B7EFC9762F53603812A23F1253D5C8FCAB65FB5C2C6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:41.487{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64350-false10.0.1.12-8000- 23542300x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:44.968{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C535EB2FD12DC34537C63AA37814BA5F,SHA256=265003A5895FFA829592F734B7DB687A495F4C86A6AA22A0B9C9F90D6C6ABAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:44.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13F4CA4930F4936123B437B145DDEDD,SHA256=B2E689A0D54C41F0C599BDAD573688E6479F84D0FFA536CDF14F9312CB870E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:45.986{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E905CBD3BE8BFABA43BAEE00DD267447,SHA256=EE60D2D2EC539639282E666351CEC7EA9A3AF6EA013CFF0A0961272BA5BF8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:45.336{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C392E5FAE70EF005F7422F8AB85DCE,SHA256=C22E856AB90AFDA20A897DC5902A35FF8A9D406F56C2918C3C6C0E88C03B8BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:43.007{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:46.351{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B007640A96B78FD9D86164975DCF5D,SHA256=0A6794A55A252E5F07204F6E97962A0D2C58DE21B41B640B051CE4097A07D2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:47.367{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A66AEA3C4B61D56C9873DE83C93E0,SHA256=079B58660871F9AF8A99246B7EF1BBB9C45A52ABFC627FF6BF5AB30EBC2EC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.001{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7B180907235C9C6E3F09E03603E69,SHA256=5539C278C954BBF76C25D955EBAA04D808DDA0BAF0ED11E521F12738793419F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:46.499{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64351-false10.0.1.12-8000- 13241300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:46:48.316{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:48.047{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69DC7C2D6E6A32418A194290E4A7804,SHA256=5199BCCE59A1ADE0DD860FD3B93BA8F4DBACF1CFC3B9973C35EB8E85128818C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:48.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765A746F4EFFB7C38E21B8D74FE61335,SHA256=AA529EECA3BBB137522213D5697BAE27E189211E22FCC8AAA348C86B3EC2C29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9392D63B101F6BE0AE41F7B293CD08D5,SHA256=47D0BF4D98760C0A5FDFE59F779EFA86148E71E0683A94098743E76FA8294185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFA484483DB904D0A00C71DD6301110,SHA256=B742FD6CA5560FE97FC7E74015986325E0D265BDDB8D53CB60ADCB5438980931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:49.067{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0211779DA43B5E077483ACB91801AC03,SHA256=4AF79B9E1B1DE2AA832CA8DA648D61B72894C0F07F9AAC8AA27C3584265AAF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:49.403{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C0CFB5231B35F91228FC867DEED900,SHA256=E02D23E1F58C605BBDCE41C7771151F3162EA1191B9486BA9C36BC317CAA78F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:50.418{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681A44716366595B952188301CBB21C1,SHA256=85F5B99D284B359E1D4C80CFE308CE03409DEC6F13FA084FED3BC0B6D132AA3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.771{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64354-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.771{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64354-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.765{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64353-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.765{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64353-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.752{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64352-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:47.752{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64352-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.184{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF8ec437.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.084{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABBDABF889E45B6261E1115FE2F94A2,SHA256=18A8286A2D6AC7011E21E23D4BB051E1A706773B7E38D560432BEB03F4A69DB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:50.016{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:51.434{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40FE3E66BDE944C837907B3EE473145,SHA256=CE7BC89C93D49CD29F161E606B30EC2DF4AC6EDFA3C46A036B5A3D418366693D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:51.115{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA38EAD483B3559AF5E52A5DBEF761,SHA256=03AD7C3D0CDB6141E0960D5DAA09BCF8A647670C0DE2C89062074341AD7096FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:49.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:52.481{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D27F10AD0C1865F965A1896CF2A06AD,SHA256=FC63659DCF2AAA1E75DB3A4069BA2F89084AECDE5D2B3173A756D0C90F229EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.130{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913667AE2D138ECF3C46611964FDF133,SHA256=9DD387D5063E420FA0FD92297CB436F0CD5AF703D701B0AF4055346FA62B049D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:53.512{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8E78F36F95292AF4BE4E241A38D06,SHA256=992F902294BEB19499417E5B96AE1C746134D71A6E433177E6C085E8CBA10EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:53.145{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66011708C67F06F4F32D7257EBDAA5D4,SHA256=2B998429C8F68CC89A8783B5A4FE9FC545E1FD4EC7023A8C395CF3420780A110,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:53.130{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:54.559{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46436DFED9AEEC54EE2ED77B7B282013,SHA256=A19DABE3544174B2004AB5EE1A4D3B6BC5690F493C1D784B4B3D7D15563D837D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.569{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64358-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.569{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64358-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.480{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64357-false10.0.1.12-8000- 354300x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.475{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64356-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.475{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64356-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.468{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64355-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:52.468{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64355-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:54.163{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EC8FC9B277CC654E1006CE89AF01E6,SHA256=218DA61C64D4A4FDA7E907B25190CC22C0A4A0BE45C62AA7A8503DEBD19D57B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:54.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9392D63B101F6BE0AE41F7B293CD08D5,SHA256=47D0BF4D98760C0A5FDFE59F779EFA86148E71E0683A94098743E76FA8294185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:55.574{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7629E49A4BA445480CB55904F070CD74,SHA256=047EBA7B632D370AC88084F9E2997DC721646596EEE3F60929D4E9BA15B51010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.845{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.846{82A15F94-591F-6112-1E08-00000000E501}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.398{82A15F94-591F-6112-1D08-00000000E501}58604192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FE88497141E529C4E8BBE43C8A1DF0,SHA256=576613E99CCB381668E9B25AD9084835966E09CF01E612190DC6760F8273DBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.166{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.164{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.163{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:55.161{82A15F94-591F-6112-1D08-00000000E501}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:56.590{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE0A256FAA5FFBF3F02035E5D885E80,SHA256=7A8F6E3E45A845990C98C0D2BE717046AECB928A802565D6463C062300BB96C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.513{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.514{82A15F94-5920-6112-1F08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B105E8B27CDBF49ECC045F20F2BF0E48,SHA256=A7FDD8AC04A27137C102CEB78CD338EC86B1DF1E7B2D8307F347CD7A27CF7CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:56.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40035C1EDBAC36AB3B8ED94D740847D6,SHA256=25213E4EF4D80FF9B142AB72B9464B637855CC81D6858CAFF513424834358E50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:54.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:57.668{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC6954BEB035EE8F1A011DFA0ACB451,SHA256=0B00240C26BBB089C1CB2329FF36D1FA722105BDAF5C8A24B185920AD3F41046,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.544{82A15F94-5921-6112-2008-00000000E501}52922440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2676A4A3D9E663B3B362E77EDB95B222,SHA256=74EE0BB864BA1C5D387DC5398D996C8B6BC789F5F25646389D34000DEBC39F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.366{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.364{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.363{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.361{82A15F94-5921-6112-2008-00000000E501}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.197{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A0212A8F2DA5C99AF307ED3DC62CC,SHA256=5039F87A442367E7D4A0D66CC81D0937F0D94E9DFCB2C953E6761E61409591AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:58.700{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC8DAD16F35BE596CC556A8CC73B419,SHA256=9D268ACC110F05A1AE833F9B3FC8B9C8AE81330406AB6243C287130DD6626703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.912{82A15F94-5922-6112-2208-00000000E501}10204692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.712{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.714{82A15F94-5922-6112-2208-00000000E501}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.227{82A15F94-5922-6112-2108-00000000E501}64406784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.212{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8F277591BA0A96D8953DC876BD2035,SHA256=E0EFDF0FC625BCC8673C0FAED8FF0B02033E82B2B313A214A71FE744FB3829FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.043{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:58.044{82A15F94-5922-6112-2108-00000000E501}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:59.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1B8318A40B7567EEBB44868749AFC1,SHA256=A65ECCDBE21949C6F0C6DAC2011E23194F37660B78490BA76489CB952D36BF80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.327{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.329{82A15F94-5923-6112-2308-00000000E501}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.227{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22AF8D0B80A7F9138738ABBB704B3,SHA256=485B811302FD1AF8EA6338F02485FF65D3411A4BFC7C7102EBDEE3C987BB7318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:59.062{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC2E09C93E346FFACA9C1270EF6F0774,SHA256=EA5F00CB7E6B867DF5494D00BC4E7048D338F5D4FE1610A1274264125789067C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:00.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4A875D36391ACD37D471BFFBB52E9,SHA256=71DBD85832112DB1E67728D2AAD19C1423F53AF9A43FF12EC1250E1BB6F70452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:46:57.647{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64359-false10.0.1.12-8000- 23542300x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:00.411{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC504078F723132B8CCD4FC1DACB5B1,SHA256=67C1C57F3D9261F9720CC2B224B85073410F25E3CA722B31A3DEEE75C4FD464D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:00.242{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46ECFA608B90B0193A9663D2C5388A,SHA256=02B2FA10A85B4D21CE386C1A4A3AF2E6E0CF96FE2D5A5BFEF21F1397FCCCF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:01.746{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7906DBF91B5FF974F4B7D4CFCAEAD36A,SHA256=9A858EA073E84C2E3CD67397256C884647FCAF6792B4BDD7F8E210CA39259D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:01.912{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:01.280{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE0CFBC1D6188B2F1D8743EC279020E,SHA256=BCA441FC859FBE4B89922B6C7C8C301D81A4E4437748EE4D9773E5C53AFFC406,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:46:59.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51504-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:02.746{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1253AE77B0438E08F4D7A67CF8097743,SHA256=E76F6FB22B53CB59C2D78C290131E3B290118B2E35BA9DFD8C52DA1C0324D045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:02.281{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1A6C328836A1395CE0CE3AEEBCED5D,SHA256=2288CE635FEE0ABE6ED26C317F549DF19790B3240FB25E4AEAAD18E09B13E665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:02.081{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3F31F9B40C18E07F17E4FD40B578B6B0,SHA256=DF5842E2BEB8193F8CE47D07B8B8662D29DA35E0C23F966B4DCB91D38B012590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.840{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.778{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DC4EED367420E5CDA9CF9F7D370326,SHA256=D0AA1B878753B671FEF01F43DD2CF29E6594D861EABA252A9A68A2F9DA373D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:03.295{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA4BDA6699272E5164FB68F386F47BE,SHA256=96331D00A9B638D500BA784A04C3F49161DB5130B4A24B78549951A7129BE24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:04.824{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8BD70F86FE0DC33C538039D8DACA47,SHA256=5B83EB47ED7584B65B8995812E4AAF8D13EE166EA0851ABB37F5603DBB646908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:04.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5870C6ABEAAD9BAAF9696B2C7853DC,SHA256=97109BFF320A99D7D13D603187309C211B8F5852B25ADD10547C26B87AC8911E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:04.312{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECF8A63AF39584AE9F2FEE5D1E5290D,SHA256=0A1C166E372918DDDE7C39873DF22054C82AF6CADBD2DDC6E5A6795B63375A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:05.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF5A799414EA3C35866FA160A994DCF,SHA256=A3D6F241024746ECF9B1D4E7ECA2306B2F4E7B9CC1181C5E2AF50C974D09CA65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:03.447{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64360-false10.0.1.12-8000- 23542300x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:05.327{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65C9B1C68595BD2681AC2D3DDAEFB66,SHA256=CE31D282632996C459673D920F99579022CF6BF997412D29D307C552769A1099,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:03.605{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:06.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD81E2D2C90072A7BF42F2359B76812E,SHA256=59BD89C29A4936BB8319020A30807108547B8586099947C2154EE7DC7A3EE93F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.942{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:06.342{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978D68AE916F4593C856E01298F95D9,SHA256=89E689960541E97E5627E89C1DCC71B2C495D16B29FA4980F716DA7E4FA700B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:07.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D315DB02E07D10A9731FCA1FFDCD73,SHA256=E990DD591F911999AC39A88792056902B30EC47127837A8626EE450001F71CB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:05.980{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:08.894{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F595B94997AF17B075D465872E7CEAEF,SHA256=9D6CD3293BC88F3A09133149DA14F6550576E735E9DC519FF66A14F99417C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:08.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0280019D5F3CE7E1EE9F2B0032801F,SHA256=8B00CB3F0770B0C7540BCA96D301BD174D377520A46FCDF0885102BF249CB882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:09.909{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D5AFF849A641C3F9EE34908B31B6EC,SHA256=3F96150886FE317A97D589970A09BCD59C9460E67FC784CD188D72FD7D49328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:09.039{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE1ECCEEED49C0594C4E31510523D42,SHA256=0D70D81AF470B3E3BD0C655814AE03083CE52D655E9AB1AAEAFC194AD5B2CB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:10.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE950C09288E77FA6823677D108A28D2,SHA256=D0D5D9EE55B42E8521429EB9D062573A9D553A3E3E89FE9A6AB04486427E90BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:10.071{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB920FC8CF4E10F330E9B47BF07D29,SHA256=6AC60AAF3E91E4C10E0B59DD24F7721E1E0BFB5B31FB7A7BDF1A59B654F74857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:08.629{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64361-false10.0.1.12-8000- 23542300x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:11.931{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BADE8CDBCB00F18E308CE160287DBD,SHA256=67B350EC8A4B9238EBA61F90778187A5850E2EDE948EB4D153C44A7AB70C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:11.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF876BA41F018A8A55212FF29A055464,SHA256=1BF5DEB278E0A6FD4F8D5D7AEFC2C67628325098015F4E7698AAD787357F62E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:12.964{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B328CF101FA69793FB7007FF50558AB,SHA256=F5F0EB67ACB8A49B5A8F7A7CFDB671CDD0737D2889C5C2E9F1571748AA16288A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:11.038{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:12.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A7AE28E2C9CDB29DDE29509BE950B,SHA256=9287A9AB962CB16FB97745484170502901B87309609F1AC6096DBDD5D675FB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:13.983{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66820EDB8EF5D9799CE2E748218CDC31,SHA256=5D5C95542DF9AEFBDE41FC4BAEB111DDCDC0ECC3DFBF8D5921321BF6BF0F9142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.758{82855F7C-5931-6112-9506-00000000E601}39763384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.603{82855F7C-5931-6112-9506-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:13.180{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0743BB048CE6442E6F22925B794B85,SHA256=8630409109F23B63D1ED1E08B85A24E5775B2B67B287059A9C6B6E96AC8B566A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.852{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.853{82855F7C-5932-6112-9706-00000000E601}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.789{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D6998812FCE76E41EFDE92403563AA31,SHA256=953C7ACD2C088C47669E28F071048499D8B47713F32EA2750EAB0F1AEA6116F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A59F066B03F638426D293D518FBFECD,SHA256=A631BCA72EE263D0796AB6D2BD7193E995970A836BE7197CBB605F5CDA4A118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29AEAD9457228C4714153E1E04EC8DB6,SHA256=DD386C02A2E936C874000A3F4A5BB83329B6ADC86E7B62F23E54C706F78C4BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.227{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.228{82855F7C-5932-6112-9606-00000000E601}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:14.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4A80DE05DBB8B0223DCFBEBBEDF66F,SHA256=3C9B1FC451150A1A6CF38514B60A538D3E1E2FDB1306125958100D99001E697D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.931{82855F7C-5933-6112-9806-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A59F066B03F638426D293D518FBFECD,SHA256=A631BCA72EE263D0796AB6D2BD7193E995970A836BE7197CBB605F5CDA4A118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:15.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833309346E79EA50D1961078C072D374,SHA256=4A8C126DE8E430904315031DA6BBEA2AC29609D5E42632B7728145C94907A314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:15.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD9539700EC736D8636A1765F6DFBCA,SHA256=1C40956F206FE7B6C18EFD7537539BC4694560FC0146637BC7114135D6E5574B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.961{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=413937B0730C7C9F9E08B0FCB8DFCC94,SHA256=5999B1530EE66298AD3C98076EA61041115A91CEAFADFFBC8F8DF07261E2777F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.758{82855F7C-5934-6112-9906-00000000E601}9602004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.727{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D031207B1205B03DE49F0DCA5B7F3F,SHA256=E29B414C6DB138F849EA212529FC8D3E6CF6F10EDE9B9EDE19B77D62EE33E4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:16.028{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131F8B363603CEFCBB1D18BFF8E94E24,SHA256=4200EFE0DEDC713FAA09A52279814B2153CF8131C4888C591501DFBA081D082D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.603{82855F7C-5934-6112-9906-00000000E601}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.102{82855F7C-5933-6112-9806-00000000E601}40443684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.930{82855F7C-5935-6112-9B06-00000000E601}708988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.774{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.775{82855F7C-5935-6112-9B06-00000000E601}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7174DE27172316080FDB010459FF42,SHA256=393D50E5BA9F3D7A064043F6B94A5E133521D997DFCDB65047D3A20441A4C5C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:14.596{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64362-false10.0.1.12-8000- 23542300x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:17.043{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9F9C91D92CB4093AD098DB65D6B296,SHA256=C2377C0E4F57063AE55528F8BECBF8AE61488AB88DC1ABA4D9483FED3B4CF696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.087{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:17.089{82855F7C-5935-6112-9A06-00000000E601}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:16.929{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:18.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3FBDD829B53C87269A813DBECC0A0,SHA256=CA3E0E4313580A0E96BA41F1DD4BD561B16401DE2616CCA3806AD020CD9B8989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.585{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.527{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.511{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:47:18.511{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.20.79607948C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:47:18.511{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.20.79607948C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:18.061{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E817016CC6EB84506343669BACFF08,SHA256=5A718B4A74BF30DA0DCDB2D2809416860FC8CD4DFD248C05E27920B7C7C1A9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:18.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766DA93FC6E1EE4135FF0B957CBB0D23,SHA256=7EE02E808F5BEED81DB2C0C5EA93EF6EA8D05F45ACC331A7AD1C3756061C16B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:19.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95CD28BDB5F998578BC010EF66E4026,SHA256=8EACEDFCCC7E108D46EA97C08E475A5652350D2820657A70F3D397721B5EF9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:19.064{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F6034E0C22FA8D6A6904B62859419D,SHA256=687600E3E7DB1E67F2EE951BA1977AD22B7D09B67E091EBAB13E7EAA1E33183C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:20.789{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01A8024B14730196FC4359FEA68CCF7,SHA256=39DC7DE03C4B5CF684A97DC319755259B2F3FDEBF143F996761911670696845A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:20.079{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ED34CA1F0487B11221304916ED7DAB,SHA256=A53F035D0AEF0AADE2463A6139C304EB7A396EF58FCF0A86C40DEC91F1E485F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:21.805{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FBE012CC632845E7DD747E493A42EB,SHA256=0916017A7D1D7A57EC5C43CB76DBCEBBE5E114CE2E18000DAD3994BB55AEC543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:21.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732ED8D0AFE041EE78DBB30CB2BD2449,SHA256=7AA11B317E9C9E5639FF07214949F80E367FC23C559B8B19BA314919375832D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:22.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E71A4B64B7C7D4098D0A5B8BE9B9EB5,SHA256=196E8CA82AA0C47DA328A7669E1DEFF56598BE72BCBDB166ECA083604E2FD157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:22.142{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C294567C94659347FE7099F5FE86C8DC,SHA256=695D1F02A00B1D6B1F96DCD7B8D862F7B6541C1989299211C664123E8CE6BD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:23.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EA2B4A7617D26D53647718D23E6CF,SHA256=2B75257439E8DB1C1EF94F7D2074FD454442EF3355D0049631F87B63AF273B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:20.576{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64363-false10.0.1.12-8000- 23542300x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:23.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3A5325D4B894E78C7AE844C63347D5,SHA256=A48990A8138D31E0391F1749373EF3A43C1ACAC9209FDF466478D2E980ADC8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:24.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADA1A478B5783490F459C059F57BD3F,SHA256=1E299073B96EF507B440728418B7F2AF37168E7D78693599947141F64097BEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:24.181{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E60AD08A479A4D2735469F3A6E350D,SHA256=14E98013008F3364D3F93744832A04DDF089A264C248B74DE7326CC734D81F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:22.007{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:25.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9340BFCE46038F3C3D4B91A336D94EE4,SHA256=D3592830FC9FA0A14AA43A398D365DBD263B8927821E7A255191F1D82BCAD394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:25.196{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2916809DC46128173FC6A8104BFBE58C,SHA256=F6DD323B4F202503282C7F5458A81FADE9E762CDBB5D20B0AF535EA4666B4983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:26.868{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A049F716A8E56A315EB775E27E0C850,SHA256=3FB10BACE4D6FA16465463D4CC6BDC5D13A42DEA76DB4EDB2808F4306029E232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:26.211{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7716C71904794C89F496F12CC3B9C71,SHA256=AA4A9D4CC3B9B0FF600FD71739D57691ABCD752C1E9F89EE2D96C0F830CF2C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:27.883{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABA960DC8790657D46343FBD6E9D137,SHA256=EE280ED318CD526949986E72AFE9FB2790D8DF702FFFB9E76229CA9F0CA0B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:27.211{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BD3A148922383F8E7E48BC7EA6761,SHA256=4BDBEBEDC77D8305B79F0E31C6496343B34EF44D86C994C5AF849C0B28A99A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:28.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68416F345A6AE3E57EE77175C70EBD31,SHA256=6B3D6ABF72E04CB90096AD0C68DA7225784D65F1436229ADB89B17209D89C87D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:26.594{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64364-false10.0.1.12-8000- 23542300x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:28.226{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA55F53F2E0848AD51DA27BF64602B2,SHA256=E5631FCF1FAE35A340302DF047C8D6B93A44084B4B4BBDA2C4519A584BC9B34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:29.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DE9F7D1A3DF8D409C6BE3C51792F5F,SHA256=DBBFF02B16C5A39FBD146163E78C5B2243D48599244DE9901FB6FEA8A82F2993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:29.241{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F9FCC62732A65052B047F56BDD9C40,SHA256=94A0470C0F6E5842CDA0B62C449AAAD006407F0775A85D08FC8AE587EEB03E90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:27.850{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:30.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5EDD11B90F09758931275F3F83E0C9,SHA256=F43019270092E1F49E5EB7EE9C74C22A5BCB0E28916AF64ACB0F6AD690EFE43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:30.610{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:30.259{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2E7C3104F41F55F666AD91911767AA,SHA256=E617201630D18FC08DC3B649A45807E7051ADCF1AB99D9E5E2D0708B48CB43AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:31.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E30017946D2E99AFA3BE60EDE29A6,SHA256=2D47A80EF41FE34F4B8E6BCFF0454837112CB77F60FCD60FB2EB8C6B72B2A001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=59E6F76300B8ACF4FFABADA1E49CDC74,SHA256=06025E1BDBADDD240894548BC76ED21FC566C81600A9C29A6F1E0CA4FA0585D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1F0DFE418E7D51C15246514C43E30622,SHA256=2756929014EC4EDDE631E3591D99CF1E1452DAE46987A1871639BB7271AE8705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=D399EADF871BDC2FD2F0757A612DEDC1,SHA256=C80B68E46CA70FC40FAFC1B85A3C3EA7A7A9196CC3BE71A00C0FA6E9468AD7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=CE6D533E9D6382AE8FB37BD1C2A6B55D,SHA256=E968FFDB92DCBBC986C0EE3AFAFB552F67139D043483EF0FCB6E6DBB1897364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=33683931039A83458FF5920BFCE5688A,SHA256=E3F882D676C6C8BA5B8E50F6018F55E0388043CCFAA457F26B8C51357E8D0E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1105A5AFEC064918A10D397E1251498D,SHA256=5E800C52BA5ED2F7C5DF4CD2D232F0549F77DD12D79EC48978C635DDAA2EDF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.493{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4AB8BC9F12332EC5CA720C70AE1FB0F1,SHA256=3D2AB996A5955D4B3F25DCE567BBE850BB98A01AEC313DC16C232BF07EF0EB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.293{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C9AB7F46897DE24D4CA5B9AF5D87EA,SHA256=AB9E0190160730F0812A4D0136EF4BB0C6972CCB3E6E69F0BC1007495664DC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:32.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BA88E13371C924D9B68418F17AAB5,SHA256=847FF38035C87C5864FACC8F53DAA4F3DA49A831FABCC4E6195804CEF51F2FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C32C99E5EF3AE7CB26859A98B95DD7D7,SHA256=FC0F97FB90882CC76A97E5CBB49B1552FC66075E5E6E5C5FE1739CE961650F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=928118A35350CDA1EDACD5AFCCB0B7FD,SHA256=732969A5884FEE920748CEE90DC3DFB601AF0C82DD4D040659EDF7A06FA87283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C573187AF95CEB768A5A5AC94594D69,SHA256=D0D17576A342BEE8E1EA2249E6AA56CF887A0F9141D4A3EAAA96DB852E30CFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:33.980{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09356C4E9CD7B49347D381595DB9A3C,SHA256=472C2C8616005AAA99BEB53921B7C6847C7AC7D3BA16ABE55217601E10590F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:33.491{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:33.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7BED03E3794CC4E5D35344AF6B6BE4,SHA256=B9BAE2D471046499092E0A87B05828DDF966A7CC1B8F3A3DB3007D2F8C3C35D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.543{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64366-false10.0.1.12-8000- 354300x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.344{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64365-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:31.344{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64365-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:34.392{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759650399E41F96A62FCCBCD1B5203FA,SHA256=004BB17C72E24B24BFB2CC68BB59FF01BE5C1C147B5D5905DF12E3F5F11596B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:33.010{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:32.911{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64367-false10.0.1.12-8089- 23542300x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:35.392{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC373C4C925B5678F1AF368F0EB8B5B,SHA256=AA994B8E7D38B009283E9583A56BB0846AE09E00B0806A67C4A4F78D4919D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:35.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6894CDABC6387751BADA8EFB187F8949,SHA256=2DF0AFB667CDC7A04A988154FB61EA3102CEA890DE4F4EB02F617C6DD1B1F3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:36.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F0EB3ABDBA769DBCC801D4C44FCB5C,SHA256=F0787E87659ACEBDE2B12BE860AC7220B261629771AFD72319B6916AECD8EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:36.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3236452006C1858414FCD6AE8E6A26,SHA256=B5A76B574AD47B5BC45E5BF54B44C0297FC732CA750E2E6E03E05CD6A83FFDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:37.074{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F3D5B226F9C065A8E4A17D9CEFE1D2,SHA256=04BDD6139D843996DFFFC2FF4BF7A9D544875D8217A09A8A7A4BB3396208EAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:37.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66802DF2177ECBBD5AB1069413FD4EE0,SHA256=37654410D839FA62D07295A0C6A22EF21705AC87BF9D717137A9F2572F7253D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:38.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28171F15B2F42004AD6C2BAE282611CE,SHA256=1CA7DC22663D44347C28670629AB20B914B4896EC0D42C0EF0491CF18725E111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:38.438{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6564CBDDE22C69CB5BBFFD34C7BF080B,SHA256=6BBE087625A176C5A9A6BA2F22FD776546AA10BE49785FBAA4346F9D8CFBC357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:39.456{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BFFA4F04A8EE3E623DC4DD8A8369F5,SHA256=3D67A2C39454952FB48A675D66A26AE2733E9AD538C312E60B518488F95B89C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:38.042{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:39.152{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE73CB2FC13611EA7A4F822EDC5805BA,SHA256=160F0DD61550B0D22F1021CC2441682CE79EE788FB582AB02579A9F2543BEC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:40.475{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC45E83952B56C13211C9A794A634DC7,SHA256=6E706C45D758FDB28EF2EF6469FE1D3C7F3E2D124DCD125E5EEFAD7662461168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:40.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFC271F63C852B9C90573F2164E4846,SHA256=07278FFAFE833B97C9C70BD84881A3C6F28A40200A4C3BBB01BCCCFE5D925DFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:38.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64368-false10.0.1.12-8000- 23542300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:41.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69088E9C083B6A5834B6370ED5DD9D15,SHA256=A75B9D9273950065F09B080A4266BB5B4F754B12B1349FE21A5D83B56D3032DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:41.215{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A774BD6048F317CD1825276C9030A27,SHA256=160B16F566A498082B8DA15954AB0BFF6F4143198BF90125E6C5DA3F8B4E3890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:42.496{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5A1DFB081F9117DDA6AE4B6F18501,SHA256=4D499935A05241568AD6B1C0A043C94C40B5F5BDD5BA7BE4AF6E759C465C5777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:42.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA3EC5F2CA08C9A85E55E38BABE0A21,SHA256=8F62E0B8CFF8D858A245898FD2F505680029EBD6211643825D845AAB02F2FC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:43.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512890F6381E37240AC607888A94FE3F,SHA256=3CB55304B701E0D1836EBD402794AE19283F7C935081EA50450A58E790DA0822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:43.512{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6EBABD3F43899398833F66EE24D533,SHA256=0C32247008EA1666DD2EF23E2D892F8BD9BBD063CCABC1FAB33B20E3D713A44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:44.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70EFA4636DD4BA5114DB6DC867753BE,SHA256=ABCB51288BC6B359A961536D0817474AFF29A73E444B4A2FCAF05FCD548934EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:44.307{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336F4950F67311E76446BA2F5608393,SHA256=28BA20FFF268268F19605AE2B4B563A22D83D6182C0A4EE98AB72319E1691C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:45.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80512606A03AABDABF0DC1FBBDCDB1A2,SHA256=7E720C09DADAF16F92AB6A203DAAB3A0BF7F6F283F8E40FD226B3DE8DE22422A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:44.010{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:45.325{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB301A65336153E6B9D739B811952A30,SHA256=869FE3AB40498C9187F54074C29094CC64992F24C7CDB531CF9BB0B6E08571D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:43.615{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64369-false10.0.1.12-8000- 23542300x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:46.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF880D0140A8378036F6EC19CE3B87,SHA256=C2A450DBE81471B05ECDC278C13AE6B3209B4F5F825DDAEF0E3E17E21038E0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:46.357{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2BF0B3BC6A5AB1410647CEC8F5F23F,SHA256=C22416431FBF9C05A9ADD745F0E68C391C49B4DF2529E2E5A787D649C71F712B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:47.563{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703CC48F0916E895B5CBC3DFD4D12402,SHA256=3C67C4D2680E09B48524763CF395139AC4409C1EE50793A04A11C8C4440BDEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:47.389{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551FE99876136660F156F88FF344B006,SHA256=3AC1542BC2C302801B1074BE3DEFFF17CE5A61C20CB6BD214847B1AC6BB82BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:48.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B86701B7E7BD0311EF48F815EBA791,SHA256=97B682ECBC08182D34F756AC57056080908BEBCD45B0570F4D83C12A95BEE35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:48.403{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB394A050059A2402B044D7040CA7AC9,SHA256=176BCFC97E4E74C0A6934F303C841A20C3D17C4F0F7DA889A8868213C6095EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:49.609{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F240B069095B34C46D9C3C0AFB10A70,SHA256=87A034E8CC30D4467460BADFBF4B68D1D5E509DED57C210D38A78E33CDC11175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:49.433{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70CCA81AE9171CCD5DFD8D5DA13B49A,SHA256=35518A34ED69BB3929427C7DA0D750587AB5492A7E91B78C8472CDDB9CDC138F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:50.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5950F917BB8D9EEDC1D51017F8F4C4AC,SHA256=BB3D18056444C6A01547B1DFE7E414E8F2B8AF1023D45C07401B396075E0AEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:50.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33459CBBB11D3CAFBA02C0FB12B881B,SHA256=592EBB59DBFC9968D0F45DB1208DE89AC5DD0B79F555744653D46522E052CC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:51.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E720FE939EC11F2DC78B01D912F4B84,SHA256=62DB1CF48F22FF9675BDFEB26FBD5BCB63B6E4F367447B5276E3D541EEB5EDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:49.916{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:51.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC782926ED3696E3AFCA622EF6DBEFA,SHA256=5CA1BE59E3ABD97E05B9C9B92D8D490E4F3A2E319FC71E1883978AE8C905444A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:52.558{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C867EE9ECF4E717E7BC89930C0584B,SHA256=A191D2D7269F53CF2536891BCBCDAA38865505256E47907EE6D35DA2F2ECED83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:52.692{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1DB15465AEE8A38B736CFA255C5A3C,SHA256=7DDEADB0BFF391DFC99D727C8767545C1A899430E683179370B1423033E1812F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:53.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCB6C3877224EF9262946886FD6926D,SHA256=9155E5029F564EB995C14FFC2A919B59966D83184679BE20F3F47E067203107A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:53.574{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5852460F54A5E5C80B9AB21520DDCE6B,SHA256=D23A9AB129079FCAE684D187A3359E42D987DC656FAA793A229508CB5E4733EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:49.613{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64370-false10.0.1.12-8000- 23542300x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:54.756{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBBDC04AE6B5BD1E60A83E7456FA0E,SHA256=FCA8E145E491ABF8E4B55C8B2C8E0C2DDBEC376D29FFC75248FADE1E45F31802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:54.605{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA3B0B5D8EF52EA5A333BAC548C4DA0,SHA256=4EC27C8BD9BE0457CB7AC43A9B0A17C36E0CB0C0CD9DCABB87BEE820AB1E80E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.859{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.858{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.857{82A15F94-595B-6112-2508-00000000E501}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191450B689303EE27B9BA6B5F6E9C67F,SHA256=49DF829D664AE1BB0066374A3CCB00F41E115C34A6AAEEFF14ABDBC4D5AEB3F3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:47:55.652{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x2d321812) 23542300x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:55.621{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7684AA19A6CCE8D766CF3D4837585B90,SHA256=B73DF30FD1467E13E6FC856C7AB314B49620EA285A365AFD46F37133133C03FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.359{82A15F94-595B-6112-2408-00000000E501}64006828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.175{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.176{82A15F94-595B-6112-2408-00000000E501}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:56.636{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D15D21D897A98B37D0F100AAC5B32F5,SHA256=D718FF8A12ED07DE54AE9FB5A0949A8965680993D48EAADD6550DFE54D0F7212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.790{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5173FD97BE9176999A42EEB241F0933D,SHA256=8639C39BEF344B535CE3AFB884CF067C663BF86682BF98BEE66EA5729723DD26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.357{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.356{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.356{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.355{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.354{82A15F94-595C-6112-2608-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.221{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACDC744A0E9844BD1B90BF015133215,SHA256=54DF9D7E1F5539941662E9CB70EE1F47C0062D541ED4E229CD3537A87E08B62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:56.221{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C32C99E5EF3AE7CB26859A98B95DD7D7,SHA256=FC0F97FB90882CC76A97E5CBB49B1552FC66075E5E6E5C5FE1739CE961650F14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:55.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64371-false10.0.1.12-8000- 10341000x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.921{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.922{82A15F94-595D-6112-2808-00000000E501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.790{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FBAF55D4567FB54C43744470CA726F,SHA256=2BE9AC067015CC4FF38CC45757ACCB2C4B8444E362FB7B246B59314C5BDD2F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:57.652{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16872A6E46E9B417F2DA2B186237882B,SHA256=95743D568B189DB5F0F2CAE36AE84DCFB6CD8B201506F019CCBA94489BA098D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:54.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.559{82A15F94-595D-6112-2708-00000000E501}22881396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACDC744A0E9844BD1B90BF015133215,SHA256=54DF9D7E1F5539941662E9CB70EE1F47C0062D541ED4E229CD3537A87E08B62D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.373{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:57.374{82A15F94-595D-6112-2708-00000000E501}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A29969731F24E7DE2D09AC6057D2B162,SHA256=1878801914BCD1458FEAD3AF21E65BF927BCA559D5E1647311D624D9AEABB290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.804{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DD1FF57C5A38C3B9A39D84F0B51D2F,SHA256=D1D7566F30A0AD7A8CE228BA1254A38B4283F2636516BE0A8A91C0A5A75F4439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:58.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F457E61A21A74C0A5C66FFB10FA110,SHA256=D9611342898EFAED1B77A2D2EF95546BA7A2204A8FB9D236C1EFA5A85ABD33F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.773{82A15F94-595E-6112-2908-00000000E501}67525676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.605{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.606{82A15F94-595E-6112-2908-00000000E501}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:58.089{82A15F94-595D-6112-2808-00000000E501}41121476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:47:59.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE46C651BAC2312EA87C58F75E545F10,SHA256=144E7CCD0B1908D9FA21E04124354435BDCB7C9FD5D432D7A15CF5E02744EAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.819{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B082CDF1953DF9FBAC270942CC0926,SHA256=03F71827A918BC4EC618518AC179A5C449184621BE2319A68051FB803D2B3C89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.288{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:47:59.289{82A15F94-595F-6112-2A08-00000000E501}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:00.714{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A089C9EE58AE35FEDE5C66BF468B0F,SHA256=AF8AD7A809BB53D7FBE854B2D11E90A43EF88796875C9945ADEC8B62CA557714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.835{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A417D07C13DAFD1B9F26C279409E9F,SHA256=FFD04D83DD01A660E0CC781387DDE6A866CAFE59BF252AB2A70E95215D46E6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.304{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E086438EEE66FD5F92808020F3BA30CD,SHA256=181A0BA6659EC39D7FD48C725EBE538F865818DFFF604A149295542E942B12CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:01.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4F58538C8BE9FC50E3A650ADE8673,SHA256=31F9268F4E1ECB3365B35AF57E2A7089276A804BA370519D5CB3138E8D956049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:01.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DECBF858FAAEDECFE011AE4FA188A8E,SHA256=96E1E97735E12F223A5AD8F12D21D61B3534FD39F2DFD27717B53CFF4CCF9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:02.870{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FD6F5A0411D4802F2EBF5C5CBA8239,SHA256=3147F289620FC7FFB5A52A69294F89A704AC3FB012694BBF12D84EAB5A0D11D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:02.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2EB273F74DE479B488101072A2E758,SHA256=751CA8D73831397FB6DD61AD96BD0F9C8112A41285793F530BD00D97B233C7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:02.087{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B3BC8BC6F47F85518470CB7E4137F41,SHA256=877B52AFFE671FEB428EAF0C6644FDB10C821F4360D8A9D7FECD9F8C063F0F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:03.902{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C574E37B6481F1384A07A0FF5F215,SHA256=91E3B75B6ADF5DA62FAD43161B3D7C0728BF8101AF4171394AB122787AA9D9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.871{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.792{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8EE820628CB71485E91DAA050C10A4,SHA256=1F00459DED328F8E2821B2C0D26CD9A6FF37EF81D45EC3EC05B47E3BC4CC3C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:00.962{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:04.808{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517DAC4796C023A832C2D2690E34B47F,SHA256=38376CC81310D977AFB341C786C2CC9223E76B6AFD9355A0E637FA4FFC29475B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:04.950{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939FA5DF9000EE6185EA97AF696C6EF2,SHA256=7B22B1B399595821C8AA0276E6FD3E8FD744AD4875C93866EBCCC468670366A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:00.607{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64372-false10.0.1.12-8000- 23542300x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:05.824{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD6797A2F97B7FE74B6E646873ECC8B,SHA256=6ED87B817955FE9B83C2D8CE70BC48099F5E965AA49DCBFB8AD87049BC6B4159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:05.969{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A534E88577C76C6346663C802EBA44CC,SHA256=A72EF8423A61D946CE3BCA3B29681BECE7B9C140E3E155C6279477E7E5976540,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:03.634{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.984{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80344667AB3627DD20B1C44177FB201B,SHA256=157DEE540C575D2F988B4CE311BA015BE6550FBA67BC84449907DEAF44B6FCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:06.855{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1687D2EE789B781B31731DAB65AA3DBF,SHA256=C8CC71114A99E33D78A291DC75E0A290E569021746DC205B0876E46D1E923576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BD7FA40B79297B3574C99B9B11255B97,SHA256=961D0BDF4B954D5BA045833921592868C0841BF5A82568E663AA0C8513FB1FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C238A1E7587F0CE1F28B40B1D03EAD1D,SHA256=8E722437614C8948B4DD6C2277530ACEDBC09525A42DED749A974885CB820380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9BEACBEBFCD53351163C96AB1AF3D374,SHA256=2D3210142BE8669EFAD22430A016C629E273061010DB42807F36D9BAF3ACB435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=65137FF4488F61780E1D56097F25FB52,SHA256=E5208122276903DA564BE5468468476922B5FBAE5469C60C142F064818246C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=FB82EF422F6EBED7123C1840B59A7DCB,SHA256=8A3C4E03D3D487BD2094F544961A53C236B7DE1BE9E1FE9D0C96EC2181622612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0ACBDB44376CF3EA50285A9D59DA75CD,SHA256=C66E25CB89BBF2D9DBBA12818D8DDB11E8DB93D366C40290792961344FC5A458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.600{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=530887CFF316F480837C01A9A4D67F62,SHA256=EE94DECAC4E00FEDE35BC14DE780080BFB4A791D16FC2AF6B39D8BFABCB92037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:07.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740279CF0A507C41F309155540AA469A,SHA256=A5DDCBF6844B6493435BAE42F568875EB0AD4ED18EB84961D26EBC08B92A54D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:08.906{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14720E659BED6942E81143CCCF81F6F5,SHA256=0E2BF32C4342BB728868DB2DED4CC425CFECB8EE15EB298E5C0C314693A2D899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:08.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F340C2F3A55E9C713FC48A6CD2FE4F,SHA256=9B551DCA723A29E02894E0AE9F31217B26B85870DC98D07157AD35495186B4A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:06.962{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:09.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66047D54A2D7D6E16A0C2339BBFEE55,SHA256=127F31F7B3969A389DA47174A55E1A87C6BA2943F3F541FD9095028993FDED6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:06.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64373-false10.0.1.12-8000- 23542300x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:09.016{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F69054FFE57E3AA707DE1D626AA223,SHA256=EADCE13180617006222BAD75600A1D5EBBA14A7D3CC2B44A2A41B3E2BBC2310B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:10.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4EE7C5B5B2347DB8EF7233ACCF9B6A,SHA256=6F33D558F4D2ED7EC842F6A9A4CD97370243343C145CF60BD54B31E842C07E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:10.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC758F9CC1A120D9B068E07E7CE6027,SHA256=D62800DA2E512C59355BF793C82DE938B5A20AD25AA84501D13218F9B9AF29DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:11.968{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD2FD457DBF9F63925A97148198DB2F,SHA256=CEA710D554163A9CDC3B3DDC405E370354C4A8AC43B24EF64B48D73C9B6FDEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:11.049{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121C2EBE98AEEC44DD0591C303FBD9B6,SHA256=C4CDC16D7672ED3C0F3D69CE5D4735D48A19466C42B9DE91FC24F082719C2178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:12.984{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFAB7310D3CBEF01E5E3FB2D99688BD,SHA256=129224AD4690CB5358CE323AE5705E76C4FE4EF3F2D35871ABAEEA7CE4717A8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.583{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF90060e.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377481D3098AF0DF653DA26AAA7955C6,SHA256=98421698B09B819A9BA15883347DCE248425AF33690FF6D3AE63DCFEF0405A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:13.151{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09C885180569303B48E878C4E150227,SHA256=2493C4FF03D2C6067BE5476B15F571BFA1A3D8522309DAA151517E949C8C2FE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.609{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:13.610{82855F7C-596D-6112-9C06-00000000E601}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:11.998{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:14.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D52945BC522C717390DD488AAA58A4,SHA256=DD5DE3DE9C06A9A58CD9DE42A44F190AF0816738FBA7D37D84632BE845F297CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.890{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.891{82855F7C-596E-6112-9E06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1230BE57AD57DF3310B68EDC33B68,SHA256=2695FB8FF49EFF9E3F822019443C7B671FE3F08BC9F2D2205BE609F762E42667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=511F513EC19611CB16B99F537641B662,SHA256=2973E9FC50B2CE9C3627A36E3328E8A9A33CFC5CAFE8B6975A6186760034B174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.797{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DFAD3E559B30D281690112712D977D74,SHA256=DBBE5884FC695A255FB942E696BEC3B9DA704EBDCD1756732B3C19255735EE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.234{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.236{82855F7C-596E-6112-9D06-00000000E601}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:14.000{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26B5D593B164118C1753664A6289D12,SHA256=F6D0AEF09AA801E51B6CFB6F8FE2823A2676470B26847AB30C6DBB7C72081472,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:12.637{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64374-false10.0.1.12-8000- 23542300x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:15.202{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3DE0954C6FF569AF5856B0B50A7A76,SHA256=2C5F35FA0A5E1317C8EEF0AC06974E136D7A863FFE5E21525DA9F59A64EAC38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F1230BE57AD57DF3310B68EDC33B68,SHA256=2695FB8FF49EFF9E3F822019443C7B671FE3F08BC9F2D2205BE609F762E42667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.922{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.923{82855F7C-596F-6112-9F06-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.125{82855F7C-596E-6112-9E06-00000000E601}2960628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:15.109{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A758153965B2A9661F6F12D4ADFF8F3,SHA256=E4808D535C1CE67D89F740475E6C0B0032898E5FF71EAE8B7F429A47750B55D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=EBEBF73258EA013D47E8E535B0091058,SHA256=8601A178E71180D9D1898D31E9721A887C21C8078B6F6576F43B0B19A8F86D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6F75C643AE53ADA4AD8C5B37930172F5,SHA256=CA6DE73D4CE55AA711E17FD4ACE3A896797B20FCCB36A080B26351942108C983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.654{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0A5F88D02ACB5C3B7310E0E0B22D9052,SHA256=3313F455A97049C797354E4A8273EFC31260BE4876FE8FC4CE956CFE7009ECF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.653{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=209F45EC4223FEAC308A5CFBF5E32CBD,SHA256=EAEEB75AA2B026773F23FE36BCA19B13144FEB26C533E81EFC2218FE9D1ABDC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.651{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3EF9F07C7D22A8D6F9EE6B612AB9C975,SHA256=1D9836B46BAA8F0C49C4EBB56909193C01FE2C4EE4299D1C2CB5B7E8601B9F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.650{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=63234B9DFD2BA2D64CA39F1FDDF1799F,SHA256=176A26EA6C29BDAE3EBE6115B36F4458C35722777BD5E2143D8A106A584C2F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.649{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2D255B5E5EEC144BFADC1C5ED192990B,SHA256=62FB3F4A98A8A73C894D2C41525DD87AAC1F10DA3CACA3BCE46928698E9F883C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:16.217{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE7AD77BC9F86A57B926E6730521A6C,SHA256=E7D50153FD9C123F4556FB327AE2A81D598864648CB58BF042320A77B983B144,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.611{82855F7C-5970-6112-A006-00000000E601}25961712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.422{82855F7C-5970-6112-A006-00000000E601}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.141{82855F7C-596F-6112-9F06-00000000E601}26363528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:16.125{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3C2F205E78317976F342C38234F113,SHA256=947581B8CD1C6DFA40A0A63CC924EE39EB8C314EC41E29CA91E127A007177D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.765{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.766{82855F7C-5971-6112-A206-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.437{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82AE32AE1D4C31581572C51AFA3623CE,SHA256=CB369F9DAF6CD7D17CC737F238BEC166A4811B5D7FB6989FF3CC7A74AC03BF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.390{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7F0D48F738525ED564536BCF6EA212,SHA256=4005961DBC6E756C9DECC47BE4DC9FF5A1E9CA3CF081533CBB4A8DFE18695BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.234{82855F7C-5971-6112-A106-00000000E601}2644488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:17.232{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF15943C51F04A419AE8CC1DEA134AD,SHA256=6D6B2BCA9CF779488FB278F933E4CE0176D3B1401582A6ADC69D1621720C3E9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.093{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:17.094{82855F7C-5971-6112-A106-00000000E601}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.568{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:48:18.515{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.21.155844561C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:48:18.515{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.21.155844561C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.249{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B86BE9E500972D534667782D73718A0,SHA256=7801D573509B92BEC25E2A390786BFE60071F2E18D3CC8FF13B55744824F5592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.781{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F323A4C7C546E9A0D0D998B887EFAAC,SHA256=E587E82134A7B8C58DA91A07D825C185F5C03C41174361036C6A25437902A7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DCB7DD48605B0EE4949964E926DCF9,SHA256=36A62725469E3E4EC3743548D0BD18A90A88EB0E8F08D4991A388B5EB0AE44BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:19.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AE12186CC56260161905C51F150249,SHA256=DA1D3B3E9B01DB889690DFD37909065E7B28FC3936D8D1823402CB2F2CED68E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:18.013{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:19.297{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820417A7A5B7A56A1225258685FA89BB,SHA256=0B756BDC0D49BF8689ACD04143D56D0CF943A22282209715F672BF1FB5720FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:20.328{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A83554A19FFE784F4D1A194D9F506B3,SHA256=3CDC2CF7B5A32D0D6ABAE46D781EA1DFB29DF901941C9F2AD6E97C34DCD5218C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:20.283{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF7DD43E0E526CABE50E8B6BBCBEE00,SHA256=372CADC3399A1BEF4324296021E85BBEC5BB1A3FF571AA2D9084C872AF572781,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:48:20.045{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x3bbc34df) 23542300x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:21.343{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1863CC01E8FFD21540A1AE1CC81538E2,SHA256=8BD59E84D58217A47CD3833D65CA82B91D7CACAB27881F07B357DA471FD413BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:19.464{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:18.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64375-false10.0.1.12-8000- 23542300x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:21.284{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C7FDC1D19170206D77C635842832B9,SHA256=61ECB0CBB03FD4BC8E15F8F28331951F4884AB3A99223C02D1636B8574E4D235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:22.299{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9AAC08C46F5C632060004770A8B1A6,SHA256=0C2BE6ABF8B2ECBA3064AE66EFF12D974DD77831049F7726396A83665595BDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:22.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053E0A60CCF9ABF2A4D0665DC6A909DA,SHA256=3CBC18F14320CD389EE4ED72FB767A0FEEA0EDFA1D1EB0E7D08CEA61FECD55A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:23.330{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FAB223BB356DCFB0D601E72C5CDA6D,SHA256=013362206E7CBF823269C960947076C16214803CA1AA1184F24BA2E372687946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:23.406{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0345BB625C1B1C10E239B1FD1A97EC83,SHA256=7D6BA7E15F856B6CB5C16BA6ECB80F7A2A5077E58563D2540E30B900D106573A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:24.348{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EDAEB08F811675F8DE8EA76D1B636C,SHA256=F9E2211DFE2E8DD81E028A0C91416B9389AB905FC421DFDD7BA7254F50B0650F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:24.422{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C7FC0510616CA099F4BBB7A5F6B6C3,SHA256=96FA5EF65C50F75D95F5E3ED70E9489AAF61D0F3F0026E0C65B04AE9D67CF520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:25.500{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9A2090240A3BD09E0A8BB3E653EEAC,SHA256=6BC65563A2623F7028EA9348081CA72286CDF9D398B4F1DED805775B84BD85C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:25.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4457DCADAF6BE480A745BDAC9E416CD,SHA256=6DA02B0F1BEBC3B7FAF95201BD7F8343F55494AE1F7857A0C41D6DEB47B4FF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:26.515{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC33021DB734F2823B72DE4C6D3E8145,SHA256=6937697BA7573D96C8AC5E4BC7DE2D43191AC8DD6B5A384CE5FE343B05271B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:26.414{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9909B9FC3EF4540F5C737E9EF21A91E,SHA256=6BB2587A7C13BCC7B00800E4EDA18D29B2909A73AB7EBC614D1B0919382598F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:23.935{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:24.583{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64376-false10.0.1.12-8000- 23542300x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:27.448{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D36884FD19EF6C515DC21031D48D7C4,SHA256=9BDB665467F170F513454DC91493120AACFBA6E1E45CD371A8DE294471DD0FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:27.609{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80A6CE88F2D4F79A829CAE78978BC39,SHA256=72B4FE2914606342F1475F85F9523CFF80114E1D7C43392A1E7D0CAB0C6C3BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:28.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEEDF5C971F33DC4864F16DA85FE9CD,SHA256=CCB988DC0946BFF46705A9D81872FCAE67E0D51B558DA825D2EE1A3D97C4CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:28.641{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C3432421FBC0BCD39C1F194F5C5D09,SHA256=6F24AAE1763E081CAA0DADB42B54BA3816FCB1F9861368816C24FD898FC53D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:29.657{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF393B24D335FFC6135D3914CCA3401,SHA256=24CD0DCFA6B9D2A4E0E25422444BF9A26A3DD04490FD6281541E992A73D8AD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:29.512{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160607FF97D6029C23FFA396EFBF022,SHA256=E892E8CE619FD6687ABB0EF10CFA9BE6FF12410471228930F379082F905D7F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:30.688{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D42685F5F267641C1B1C95D9A075DC,SHA256=E486D11DB2F0AD00CE1C5741832180EE8E9D35AF18F07E688698D105C2922E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:30.596{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:30.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F50E6EE6CA3A1B795CE74CDC381BD8,SHA256=0939571154D77793BEEBDD78BD84DDC7232C17F8D9B480774F76DBEFFC133F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:31.797{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7931F5E4500AE7DCE8EFC9E0AC4F837A,SHA256=C486F5A68E2E0B4337074C9FF736D2DBE7B4510EEEB641DCBFD54533CA81E3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:29.663{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64377-false10.0.1.12-8000- 23542300x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE4455FA1A5F1A9933DD3EEFEB821D,SHA256=8A6ACAE2B8C5F5D93EB53845A234D252B3537DE055374A65F15E74C4F35FED06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:28.967{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:32.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8D139A82322A22DF5DDCF0B6610361,SHA256=24B3878B2AE1F4DC9843EA038A1E61F5BBF1F03A09D1BA7E94E28904BB41E6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711B56D5FA5824E9843C510A546B2264,SHA256=E36B6402D256274626097020190EC7D453FDFD4B0BA9283594BA3CC63E56CEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B2A26F276B2D5326EF20689A254403C,SHA256=83335229736A7187EDD04E8E84BFA342A4E48A4531E133000002571FD48C3F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.595{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36585672498B6439331FF76DC56C9BA,SHA256=3F99937CE34F24BDA6A24A8DB2C7DCDE5A59188D4C7BA1C25CB87C97C7746334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:33.938{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AB69669286D0E3B0AFF9AF2D4307D,SHA256=843B171014DD2414ED2470D67F930368D9A173D8E9C0B63901E05B1C082B285F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:33.610{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1367CADBD2DA70B0FF84697C91A9DB92,SHA256=50870E2E073C5D0A80AD48C49A15E431BF300BF10589CD974AE10222D3DC1E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:33.510{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:34.953{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3BB33A3455EF7CF868D421F317F66C,SHA256=1167EE2C076801169E3F3AD5D25B28423CFF3197F8903027203AD57F75146F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:32.930{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64379-false10.0.1.12-8089- 23542300x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:34.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6465A4ABA78132CF792D6230367C899C,SHA256=2A5F97B853A2490FF74640138C87FD83D53E53BC00F9C659D6AE2FC6D530BCB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.362{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64378-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:31.362{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64378-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:35.969{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923EF4ADB949149D3C1CEA42B1E589B,SHA256=8ADB6D339AE4A7DE156048604B1A364F118D98F235701E6FDB2D01C25072C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:35.647{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229DE7E4DC6B150F8C5E643F11D8874,SHA256=6C2AE4CBC86D3B851E09BA96E92127135793389B296830891AA9D5FBFF172961,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:33.983{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:36.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571C460EA5E4895374B476C7A5FF25E1,SHA256=13CE041E16FD4F186489DA3023570BDB9EBC31D336ABA96F1FCBC154F643C09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:35.617{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64380-false10.0.1.12-8000- 23542300x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:37.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3414D3D2C064778D50F70599A0B629,SHA256=057738FBD9F65501278E0FB05097572E752C403CE26CBF3F955E3D7AED19E830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:37.000{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4AA407C7BFD38A2AEF91E1A6D04C21,SHA256=A71C705974856ED7BAA7EE9D6A39F8048B0B4CAF8DC8CF5F225866A78E9BF198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:38.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BC5156FB2597F52C7889BF91486625,SHA256=0EB9218669ADB45B66367A067C4731A32E4F0FEDC4A944800FC5059409E18E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:38.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9778784509DFF6F390D7658E7CD68B,SHA256=832A2E217191FBF64040191AC354F8A6D868E05F3E68FCB2D4DD2764A42EE572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:39.697{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CBC3CD86760E9887FB1263FADBB852,SHA256=30B1018ECD554176636FAB4C8EAC6342B8D2E1E2859417ED1FCB25E953AA8AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:39.063{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2673470A8DA077A30204F421D88D3690,SHA256=500F7F2DDD29B2D767440826152560D452F06D4830EA740A02DE8BEEA85FD8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:40.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8FF52136234670FE685BDD5303E751,SHA256=4341C81BFC60B23E94153DEF4C94D0E6BE9D076B7AA91DB6F10D3F5F3A4D22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:40.078{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878D003868016DF70783CCD01339F2A4,SHA256=3BA357BA999D90F192D2001EE8DCB994DB107A41728A2B65B0B0597F30B49295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:41.766{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546526111B0A543B3388B213CDD5DC0C,SHA256=53DE3A8EDCD20FAC4BE96F9FFF7B031ACE7FBCE013EFA176406FA451FBE361AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:39.826{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51524-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:41.141{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4E741DC2DA523EEF99AF608650766,SHA256=D3EF637AEB633A833E683608909BDD9F654074A5D2AA865F327558BC3FE44286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:42.781{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64E3B38D9708CF2F7E76C59DD10AC6F,SHA256=0BD4F61475508D65CA2B85668F8D787040A1B3DD9C27C8E27D354D9BE3139EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:42.172{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAB3696050CFA3934BF9AD4A67FFE06,SHA256=9A664C998549AC220AB0C60A96B2F537085661D6EAA7790DCC658DDB88A94AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:43.781{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AC5F9DE06771DF210B61241F047B31,SHA256=6CDF64674F625FB9D7D0DFFE3B03E6BA8D9936F43B6ACD4DE83A1F89CE9717B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:43.188{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E81981265A96B65A1DD2B0E1B02A89,SHA256=98D3EA689C6807CB7511FB621A37C964F7568DF666938696FC7DC342ABFDC90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:44.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E15AE88F2304AC7E9E3A40D72EAA7D1,SHA256=B62E7320B81970324DAC2CF0372C3C7ED7EA6982543DB3522A7C47C1308440C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:44.189{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD64C50894175873938D84A5F5571BF,SHA256=D2235375E7B6848FF18030D601ABE525371899321E8412BFE84A4843D457EDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:41.547{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64381-false10.0.1.12-8000- 23542300x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:45.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7785837EBAA4C0272912D39DFC883D70,SHA256=FF384DE1B18D32A4ECEFBFA19E53106067DA48C506808A03F06AC9B28CE8380F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:48:45.436{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd5-0x4ade7b71) 23542300x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D20F69BA2234D9895F852FF2E914420,SHA256=92C18F6269531767411E9D91A2BFD87CB2DA502A9509E3B7578AFA1AC8087C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:46.827{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5543364200C613E5F11D6452E7E85BEB,SHA256=9DDF6000146652DD3D46D48FF6C3C6044A291F4C1AC2BC07187D8776E3A01B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.199{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.199{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 354300x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:45.043{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51525-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:46.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D2FED5084E0695249BC5D7606AFD0,SHA256=BC696EF646E5837CD743ED4420A60BDD7109CA437B8056E47D5A1542F029224E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:47.831{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B312038835E0EDAE177427D3E17FDC0,SHA256=596413200B513AB6CBAB0DCEC5B92408D5002EE8F68D667D965ED1AEFF9D888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:47.266{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31CB663AF0F2B1E05CB0A89B2D7A49,SHA256=2B6D3889AEA5B10E0ECCA1773F06DAB164912D006AC4114EB32E3037FF149E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:44.858{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:48.848{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F442CE6B80C15725E9DA2699E25669,SHA256=76208487FFA44662FA386BDA12CF8670DD0CC6897ADA1374D2A6BA4A429ABA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:48.299{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0876A27AD6E546A7C0962127BCEABB43,SHA256=4E20CDA288072E792FE216E74E19FAE08FDA7DDCE119C8C214B39B0910ADAB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.898{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2052B31C45F56147E75D0AE57123AE23,SHA256=75D5FC77246BBB452BB8E185A767D69BCA82AA10B01D62F73F07EB28D4074F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:49.330{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0BA136E7E633DA0470EDB88CF9401,SHA256=DFD889F0F6094500F8F3F64FA1A1532088FB56808DFE08822ED6293153E05D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:50.916{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FD692BE73CA52FCC01806A3E7CE531,SHA256=2FF00C005C2B5AD15532CFE2E4595A8DF374BFBD1F69AEFE125DD311132B0853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:50.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFE360DBCAC3BABBE038EE38897B8B7,SHA256=DA0CB7AE9D514B00EBBE7A43CE6191F0C7FF9884549947B1630B0C4FB2749658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:50.182{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF9098f7.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:47.485{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64382-false10.0.1.12-8000- 23542300x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:51.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34374E98E5FECAB0C9FAA87C008058,SHA256=ADED4F03073A60EDB615F0EDA437C4AB2FAFE15543FEF444EE952C02D6638558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.588{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=EA9917F106535044892A53D020DEA69B,SHA256=B884E2E1B384D63675F89682AA711C8D7ABD03E7DB36A4A828B8B4176B1E5E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=66561B176F3D771822FA797FA805CF55,SHA256=22C728F77523AB53FDAC3855574B4EFC1250DFC60839A9989D571D3D9DF75D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=C4CAC042AD9762632CF30D1A71660493,SHA256=D1AC36DE5E6EBCCE0219D37EA8ED90D73DA4BF7079E6DB379FEB4BA1199AA7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9EAA0F97B27147E9FB572C769421BF36,SHA256=9E29E7FE913780E33F45ADB2CD9D03C4E782D5DA5E57AE9287BF71BEA703BA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=4DE8E1E1C8454403D83A7BE097FE6F9C,SHA256=306C95270C13F9C4679D9A183DAB5B03C0EB2DAC3CCEBDB21637A5F131087067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=92CDD5E61BC9769EF07B364B474B8EA9,SHA256=40C50D1F510E5C933F6DF90364FA2C945B68E36B3599CC5D7EA9BC3459E27902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=839CC6889CF025B44D33913D41A30485,SHA256=736E83909AFCFA5EEEC5A4AF615BE9CCD72907B7D847EEABFDC72F91462AB0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=42A822B6BB1626FF5F9E08C849C10E47,SHA256=47CE6F8CD7DB698A68E79C3E282E3A73567AB4836955F5DD12C1F0B30B03F825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=5D5C1B661B041EE63DBCDC648DA95D66,SHA256=02F9BE363D83A2C1E9A56233EE16EFAC6524E9C80E5934715A3B10ECB01978A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=8B0A0C062D7AEEFD9CC54621DF25CDDF,SHA256=9F3386944CDCC4127AC2D2919C9CC00C0B433DA9D816A6E16829B77A0855D440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.572{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=328859C818E509DFEF0F70658C1F27CE,SHA256=F05E37360E431A1CD1DC31947D02250684ECD7F2A74B73A27721F67702911A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.556{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=DB942B781C203E3C754E5895B21F6B95,SHA256=0C5A481610C99BB5C596242EC54098A9CDC2DC7D7DF2C62DEF9D6DB60CA99BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2E4D151E3D6B3EC5BD6998A5E8234EDE,SHA256=0BA699A9AEC1A592EDD80CAF11940340D979B26425857C02DD09A5718607370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=17E86566A298735D211D62D9A2A52AD1,SHA256=01C9E799CC6EE5B87B298A0FE32F28AF55944B50491F740723DD2E013DA1A242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=C6A40794C6C005C6EA63536CAB32C6D3,SHA256=C586C8D85498A5B2266619114BDEBD4B8A50F46FF900198FAA2CAF5D35A25A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=F65ED2309BEEB639968C7622DE89B138,SHA256=E416140EA8A4E8046BB7D347051AFFF456D6A8CB347F4310EB0DC669350B6CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.503{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=57BBF9FC9539018C50B7371CA64D421E,SHA256=E5F404CF9911985194825518222A285B21B6A2A5702C0361360EFCB24286827D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.488{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=55BBFDEE7D751466E71A387FA137103E,SHA256=C468619F4F5F0FA54A92ECAE8637662D7E2417F0E7556C72252B83B4EDB74210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.488{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=28233730802D51CDBFC58AF9E125BBA8,SHA256=CB410F27D417DEB64E4183F6B3896BBDE3588EDD0D8C68B5B7CEFF7A83574606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=B0D75A1A685F4D099326DDB449BB9112,SHA256=DF0B35FB913B4DA13BDEE5164066EEF2F3AEDD529751FA02EE10D3C9AF042D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=5CDFF64ECFA96293CEC446FBB9ED05AD,SHA256=DB5C943BF21572DDC47280697B8D12DCB7E28EE7366F29BCBC7FC6A4A37A6279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.472{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F3CA7BD9B1554B31CAA66255B8DC476A,SHA256=3D6253F4ED13AAD2C51222A9053555CA8B9454E5F8E5281449AA5CDBC7CC749E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=C193F500A6858A2FF10F939216622299,SHA256=87B49EDA26BD4F6DAE04D8DEFD14473B40FAC5703BA3C43DB1269239E03C7330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=5D9D7830400881CAEE755851F1C08D73,SHA256=98B0A25DE6BDF7C982C61BA616E967524E19644464ACA0EB2E406A18044BBFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BFFB8F4198AFFCE5F3D7A719B778E2B7,SHA256=D789DF00295F639C447D61F2705929AE3D362745B97E8B5CE7A8225B63162B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=F922446B2E6BCAB9EBD504A6477529F7,SHA256=34DD5186F2E7DAC18D69098AA66C0D115D8AD8DA465CD803A7AEC3FC1C3DFCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=9672DF7A0F0A2922DCCB0397E6D11B01,SHA256=BE501A6B9B613BD536B9E70AB0EEA9F324FDF0FEAB570700A5E22B79468F45E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=E09CF07E8EB9286004F5C008C0497474,SHA256=30FBCC82FE601CFA48472687B9FDEECD88DFFA9D201FD3AE2EEE1EF178F6FFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.456{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=6E86D26A7650DEC0D59940F9A3B814F6,SHA256=82714B1C82C4F36A0EFDBC65E78253CA5CDE4ED42B80FEF6989FF565168C0147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.451{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=55BBFDEE7D751466E71A387FA137103E,SHA256=C468619F4F5F0FA54A92ECAE8637662D7E2417F0E7556C72252B83B4EDB74210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.434{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.372{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=C6A40794C6C005C6EA63536CAB32C6D3,SHA256=C586C8D85498A5B2266619114BDEBD4B8A50F46FF900198FAA2CAF5D35A25A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.356{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.356{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2E4D151E3D6B3EC5BD6998A5E8234EDE,SHA256=0BA699A9AEC1A592EDD80CAF11940340D979B26425857C02DD09A5718607370F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.312{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:50.795{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51526-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:52.393{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5846F24093B6DF10E07D75057BED8BBE,SHA256=7F9A4E3224C03AAAA1B3C033FCBABF5660E459D6BE4C8C83A207C6E898811C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.627{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64383-false216.58.212.138ams15s21-in-f10.1e100.net443https 354300x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.626{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local56653- 354300x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:49.624{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local63035- 23542300x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A489DE713E0B68D7DEF753603C7C7F6D,SHA256=8AAD8936A36DAD0609F33BB1D2F129A412A0E0941CE491289E55FED3904049D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.103{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:53.424{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA81E20332E2AADFE6C6E0290A6BF5E,SHA256=286B95C05ABE9A92512D916A9640818106AC339C658A22EF6598BFE28C8FEF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:53.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CCE40742E8E082467F82D37C4A836A,SHA256=F177DDDAEFCF647C002DFF1EFDED8303291E388E26800EFBC07EEFEB587DE539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:54.440{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D280169A7EDD40335714D77EBA25DAC4,SHA256=02FC78CC9E7335456306F48E0F59E8C7B5DC3DB76B2C44081AD0E9A7EC09E157,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:52.606{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64384-false10.0.1.12-8000- 354300x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:51.754{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53579- 23542300x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:54.133{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C748A40D14EDDD3842BEE5DA98FF879,SHA256=1998F496C425C796A2AC3AAA4A0E8C1D824457FDCC515E65620AF151F15D4947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:55.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D641FE8A6D18AD11937F9A10C6FCF4E4,SHA256=1A6C488834940CBF2060D1637822E72DF1A768F8FCF592689DDCAA55B24AC648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.869{82A15F94-5997-6112-2C08-00000000E501}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.369{82A15F94-5997-6112-2B08-00000000E501}11445852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.185{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.186{82A15F94-5997-6112-2B08-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:55.150{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181D619F562ED87EBFB8AD7319016B08,SHA256=67788728E77811723A17285EB042B4C4763F4EDBC0A62F1B1EF0563227004325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:56.533{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8E2941AFA28B6097DFEF9FF7713170,SHA256=AB5662983BAB6F593ABEA4D85D8FE4FE9D68082E8F0E49F83B87BC128B9627FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.551{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.549{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.548{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.548{82A15F94-5998-6112-2D08-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326CAA69A00A8194DA53E9B9E4A0C702,SHA256=F76AEE35BC6C1E9F2E62EA7A929344C27D9C108F9F5869C74EBE824922822A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=711B56D5FA5824E9843C510A546B2264,SHA256=E36B6402D256274626097020190EC7D453FDFD4B0BA9283594BA3CC63E56CEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:56.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521282DFF60DAE741D3DCDED81418D4E,SHA256=F7DB151D9A0BC1698116017B65B549A324893F49C94F040BB055E75DCB2B0F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.967{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.968{82A15F94-5999-6112-2F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.583{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326CAA69A00A8194DA53E9B9E4A0C702,SHA256=F76AEE35BC6C1E9F2E62EA7A929344C27D9C108F9F5869C74EBE824922822A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.449{82A15F94-5999-6112-2E08-00000000E501}44326656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.283{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.285{82A15F94-5999-6112-2E08-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:57.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE71AC0D7B1F47AAF8FB617A9ACE9F94,SHA256=A01FB307F72BF23A10BA0454BADB77FC7E2FFC5CEF97F074EBC3E584E4A8D87F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:55.951{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51527-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:57.549{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EB964026E330FB49C19355AB808968,SHA256=14D5877D9A8629C78B0CFC78BD96E520289B8AD72AB3B153C768EB0E408A3E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:58.565{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790303BEB7599F135E127E430E842627,SHA256=A743261FCBD313A4B92A07E34158F40F19EEBCC9FAA7ECD8B5FF7F06C3E17EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.813{82A15F94-599A-6112-3008-00000000E501}43923928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.650{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.647{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.645{82A15F94-599A-6112-3008-00000000E501}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.229{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AABCEB3B16D773396AB99017E89DE6C,SHA256=CB82995C866F758EE6FDB591E12D7E7C03AF2FAC2C88433E9C49EC84691D300D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.129{82A15F94-5999-6112-2F08-00000000E501}59885524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:48:59.612{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC458769349D26C4A4325237217EA4E,SHA256=0285B01EA92E6D768217AA99D040ECE4A3FB7D11B4B911EA78DE98469AA143FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.313{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.314{82A15F94-599B-6112-3108-00000000E501}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:59.298{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D4996E9D22D0474F164987C91EB1F,SHA256=84AD7C92A752CC42EBF3C57DDA627C85B788DAE743104EA0E72CF46088F03C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9238D5C3B84FF347EDEBB491B9050D5,SHA256=7C3EC31008F8250BD945B48E7D94BD9FEF86E668CF25300D8D2FED846E6A76C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:00.658{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882B758FDA82806C55810E7D346A0F77,SHA256=8FD7A5564C7E4B958FBB8B22B5ED4E71E182CB8CB527326FB92D1EE6424128E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:48:58.564{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64385-false10.0.1.12-8000- 23542300x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:00.313{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB26E0E53AD00A9C0D9951219B67E5F,SHA256=465E47BB7CF74770F44ED66D24754DC4121E778BED4BA1F2D46073CAF47681E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:00.313{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5951A9B20A7351FFB3CA5E5040BF76A9,SHA256=BE6BC37D0C54557787D26B06AC286F52CD721D03AD49D39EED74426E83B1CD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:01.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B897685291AF121AF37D8B6AC9B510,SHA256=534EF1CF095C4813718935362D78CA64057C50DFB9C38EDF248AAE9C2A24AF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:01.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D74B3B742A717A7AB249C193E0B2C9E,SHA256=7E295358E05014A707D9B04D5BA16F08C9EEBBAF2BAB25406FDD4046EBB2C05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:02.705{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA41B80B0D1FA8626E31617CB5810B3,SHA256=6434F09271EFE014BD524E2902FD590FBF1C50EE5D1A40A3824759FFE22A0A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:02.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4FDAD4FCE1C0F98961E396CB5F9B7C,SHA256=C2096A1D26598A7D8A04611CC929D3B96516024890B9B81F3E665D2C14FB03EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:02.096{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=84DE4D9FA430CD5E8407A30A59623BFF,SHA256=9FD7A3E9F2822A8455FCF1B59BB060833C3CFB76F8B91996199F817D09BE2F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.893{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2000FC2E38CE08FCB43E5C71B718496F,SHA256=B7DA918D6C85179169D7B446117DE1E2259196104EA30BB6D1E696429D1A235F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:03.395{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27591593EE171778ECD5E3BE77F06A2C,SHA256=23E295C33F7DBC168AE2B2518E3F80B74059171A5E567F32B4DCC4E853E9CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:04.752{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09067756187B5AF7B68F5DC128F9570D,SHA256=0BA77A3E14318F8DBD0C6A7853AC6D0860BB50F3948AAF5D1B701C56947C74CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:04.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851F5D48CC7B383CC20ED5CBB6838B3E,SHA256=1A87FB146518236DD9F90344B63E5A772366C78B4CEC5859E76AA526FF6DD930,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:01.998{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51528-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:05.799{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A0BE48CDDB277AF9B2A06B2489754F,SHA256=7A792926E7D235A06F9E9A264D6ABC90C1AB1D3179B10C6DBB61653B96D5E916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:03.680{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64386-false10.0.1.12-8000- 23542300x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:05.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146E63426EC45AB1726C880EFB9F247,SHA256=50C27195D4CA7C4AB893D471EE9D92663B9151C2698A11C0FD7224730B8C7C2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:03.654{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51529-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:06.830{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C40FD23D651A418D8058B20CD58342,SHA256=CD862D0477E8189E7A59BDA415D1FAFADF2CE98370C1B559D80552F0C8652273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:06.493{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EADA65913E0B957594C0348682DCE5,SHA256=BA65C39B4357BD3358F831F01BA89BE268DDC951642BAD6626A267DD7B0759F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.961{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:07.508{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE07E64476D6C982A50C7588841A1D3,SHA256=5F0D9620D7D8E5E458C0D71D41A22D321F1DBDF1A1E2C6BC7DBD18E5684D741B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:07.862{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C888BBD1F875FEDBB8769973DBE74,SHA256=F41E89299841B75005AF9347D5003C5BD1C968BBDCB17FCDFDAB7A9F1197728F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:08.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2573810FAE2E3C1A2D11EDF58D46581B,SHA256=A6C1170B1500AF2920E065BCB0130BECAAA446F59EDE66FC8EC2ECFFF847E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:09.897{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E61C0E31A75BF88A3726D0CB7122B1,SHA256=CDE286D830D6C9AFD15565C5E803FF6410576FC0E05636BB870359D16F94A514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:09.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F2C74AB472EB4F637A4C20E964030D,SHA256=83FAAAD776D9F70E069D7114599CD64C773071459B849686528E767B645FEFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:07.982{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51530-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:10.944{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B559448E4CA9BBEC6E5031D072139CE0,SHA256=40E01501DE63895FC5B2EC65BE00654C8C7248198A52F9970B1E6FD248AD90D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:10.059{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA406B4E397FF43567A07383F26C291B,SHA256=5D98C01699D0F951D4006A7791AF118ED32E442DC371390FF235CB99D32B7724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:11.960{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE2AB258868BDB50ED541B959AED246,SHA256=AC3EAFF86DBC740FE30302D3B857957089D89AC275061BCFF873A5D0876EC597,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:09.494{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64387-false10.0.1.12-8000- 23542300x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:11.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB35D0187F0AB74EB187593BA7C45B6,SHA256=D7F98A4DF2751C6618FCEC65510A3551A832751955584D5978E71FA1A8258D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:12.975{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C319A5B248E031D72A284767DC129737,SHA256=DD2E6961D3B59494F1EAFB1FFA40C67999B3328ABE9BCC15A9A217036E7229D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:12.173{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E968E3B38BB1071EFF6F661A6B249D,SHA256=FC0C389C1A9C591871C047131411183E58E73F1A52E75F05E286B49B5E6E4AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.991{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F69CECF0BE5A03B890DF066DA7BDCB,SHA256=AC8301A360E3C2627A748B70FD5493E874FCE8D96AAA6EA018E3B3C178C6047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.188{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4632E4E1907A7BD6B42B410F2B91178A,SHA256=E5CDE5D680EBEB212B7E2B24606A5D034CF4C82FBE32B164DDB38023E38F4801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.632{82855F7C-59A9-6112-A306-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:14.203{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0F35BBFA7ED568398A43772E3C9E53,SHA256=D2AF11B183B5C247AB5F23E854A5D09A5A5DEA5F3CBE55AA8DDF574AF61E876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.803{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=13C69FF8027589CDCBEBFAB95D7A8769,SHA256=0601FF22B9E1B61FBDCE87CC897EC148A65D27137D034E6F5EBDA8850026D2B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.788{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.789{82855F7C-59AA-6112-A506-00000000E601}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839A4749659AACCD53D6F6BCCC8EEDDE,SHA256=1FCD4D4CEF7C4B12E255B3BEC3F0EAD7D1F9522892FA1F00D162972415556C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F22CFFA1879FE5A5FD256BB8B284067,SHA256=2FD514FD0C2ABE0C02A0323CFE41EB7B9E86F7C4F3EB3826392E29CE3F633BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.304{82855F7C-59AA-6112-A406-00000000E601}20921964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.241{82855F7C-3680-6112-0B00-00000000E601}612328C:\Windows\system32\lsass.exe{82855F7C-367E-6112-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.132{82855F7C-59AA-6112-A406-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\FlagsDWORD (0x00000002) 13241300x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\TtlDWORD (0x000004b0) 13241300x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\SentPriUpdateToIpBinary Data 13241300x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\SentUpdateToIpBinary Data 13241300x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\DnsServersBinary Data 13241300x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\HostAddrsBinary Data 13241300x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\PrimaryDomainNameattackrange.local 13241300x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\AdapterDomainName(Empty) 13241300x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\Hostnamewin-host-456 13241300x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{BFFDFC13-F67A-4ECC-9FE4-7AB2055122D1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\AddressTypeDWORD (0x00000000) 13241300x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseTerminatesTimeDWORD (0x611267ba) 13241300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\T2DWORD (0x611265f8) 13241300x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\T1DWORD (0x611260b2) 13241300x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseObtainedTimeDWORD (0x611259aa) 13241300x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\LeaseDWORD (0x00000e10) 13241300x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpServer10.0.1.1 13241300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpSubnetMask255.255.255.0 13241300x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpIPAddress10.0.1.15 13241300x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:49:14.069{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bffdfc13-f67a-4ecc-9fe4-7ab2055122d1}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.255{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90044536C08685A2C871EAE43E83992A,SHA256=44BD67EC87CD39872AC0260155DABB1EE354E66EC418E64DC7EB856E9E4B6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.255{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA83C3950EF0193B94277FC193C6AD1E,SHA256=218AB59F9A26AE1E841F5E8CE51247DCE9CD287295311DAE21742691C8BF2F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:15.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD26F9125BEE7BAB6ADB47158E991E37,SHA256=882C180CDF9B193940038CC5BBDAD65330B0E940E3FB9E5B1299CA53CEAF4979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.930{82855F7C-59AB-6112-A606-00000000E601}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.805{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839A4749659AACCD53D6F6BCCC8EEDDE,SHA256=1FCD4D4CEF7C4B12E255B3BEC3F0EAD7D1F9522892FA1F00D162972415556C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.859{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-456.attackrange.local56587-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9860:b621:8e9d:ffff-56587-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9860:b621:8e9d:ffff-54687-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.858{82855F7C-3681-6112-1400-00000000E601}600C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3c49:c8d9:2d5a:968bwin-host-456.attackrange.local54687-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.846{82855F7C-3681-6112-1200-00000000E601}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:15.147{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD51C2BEE3F78978EAB714D7324B48,SHA256=FD4CE1EFB90596870A087E8CB25956FCD6C1875B363A1FB3510BD8623E296401,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.386{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\AlternateServices.txt2021-08-10 08:54:16.121 23542300x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.386{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\AlternateServices.txtMD5=A78ED05A3F8E3086308C4E0764C13D94,SHA256=7C01E3AFD66A08A1C4D1012413855A9D76C70C22225D74C4E6117C12EC691857,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.286{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.286{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=DC31534336A68FF5E46137BC045CE661,SHA256=22EBB7C963134ECC8A31A223FCE2BA761740AFED96A4DCB032A29745B2B4939D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:16.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51899826EC10CC25504925485E7882B2,SHA256=FCD1C57C08C3FAD8B935C01A7523488C3256DC13ECA0DBA23826BAB470F93404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.758{82855F7C-59AC-6112-A706-00000000E601}32041892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:14.021{82855F7C-367E-6112-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51532-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 354300x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:13.893{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51531-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.602{82855F7C-59AC-6112-A706-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.149{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242579231181065A86B4D29A64B8EE7A,SHA256=E628627D5FC7E3B3C25681532867318154BB2929ED2F9E7814CD895CEA7110AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.679{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51532-false10.0.1.14win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.517{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal54313- 354300x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:13.516{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal56587- 10341000x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:16.117{82855F7C-59AB-6112-A606-00000000E601}10202208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:17.285{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95947FDA6A85862827C0A40D73477CCD,SHA256=CF844B5934FF6004EC2F61AC877B7431CC6CD7EF5F45A037B4BE58E08A2B7B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.945{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.946{82855F7C-59AD-6112-A906-00000000E601}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.273{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.274{82855F7C-59AD-6112-A806-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDB4EE79411A74B2553D88B73C1976,SHA256=AE3B52D2A7705F5C52988313CE018D9EB44FEA04CF0FA8DBBD5B2A651B673697,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:14.569{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64388-false10.0.1.12-8000- 23542300x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:17.164{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D7CA66925FF2855389DD5EE43D12D1,SHA256=F092F4DEB54C3FB1937DE742E0754EFD69E5861F536FC294DE23AB8AE7FAD2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20B572C0F33C8D5A33B5116304B2ACC,SHA256=B9086AED079987075DAD24B87871111EDA72E0BE34056FEC93DED6CCB4CA053D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4689389E474D1AE4D6221D052DDEB148,SHA256=54AA1BBA3FA23E2A755FEBD393E287A14EE462D6135E3FF3F1584E1D46002782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.584{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:49:18.553{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.59.8555027C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:49:18.553{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.59.8555027C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:18.315{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58224644AE924EA2C77D0050B1B02399,SHA256=9AEF3786526CD5F9158DF50FBD42A2E42E534A424444FC76D4B4C959EAD757AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:18.117{82855F7C-59AD-6112-A906-00000000E601}24681172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:19.820{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932C784531464B35C4DF0B0282436257,SHA256=0C90B7E7D83D7276EEFDC558F97734224996CEDD8EAE7076FC3CD67833689BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:19.334{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEF078CF65F5448E6A515EB9989046C,SHA256=9712FC1B3658168AC540415A133C92057A07EE4C9FEAF0FAB5D2B5193D739E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:19.035{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51533-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:20.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1A2E6B9D23A3C9AA072A54EBA0F1A,SHA256=30F04F54D68EFC05D61E4E8E70631F68AD0CA92793D297FC8B0D07E869932F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:20.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6AED060F378F95EFA72B5E1380CA1D,SHA256=34E0800F3758BB179961EA172BD26979541E9992E5B960180FF51213BBFDA870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:21.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9FFEA08FFB8A9F9FD3E478CAD6292,SHA256=FE8AF8958237C0CF69D1DF26F8A86BD7214029AFDFA4DD5FE6AC1E81B750BAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:21.382{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FF38FBFFFD145C523DB7292B05DFB,SHA256=A4FE29E4245E583DAE8961F7D88234B702AC0A2863BB223C89E02EE1F68128AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:22.914{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B3EB38CB53410E52592ABDE382F863,SHA256=19972A74D89507E432AF4FE71EEA1013005CB47D1C6700BB4B5E2C0DBF53AFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:22.412{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAAF5CCF28938FE65DBA333CC75DFC8,SHA256=332B0DA86388763C94610C4439C0E6E2965E5D13A2D850D420AF3BFCD143BDE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:19.649{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64389-false10.0.1.12-8000- 23542300x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:23.930{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CD38A39FC43F51841C6E77E8B004FD,SHA256=7DB15320121E69497E5D39DAB783F87DA43023943D3A9D1361995E5BB0EE9D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:23.430{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B854059542CA99F3B4AE67905D336942,SHA256=F76336E14DE145D8E3B642D400813EADC7DECA96DF142B59253F3802C657578E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:24.945{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBFDB0935A119CE3F821E410E2C043,SHA256=7C0217E14813E7F3B67952BAEEE4E6BDF64EA9F3742B0CFAE016F8C75606EAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:24.449{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5A600C8E8BB8103F3FE2116DAF0A2D,SHA256=1BA4A0AFC633F24041C8F3BB4892FFF3DF31368F468323031E9B257DD426344D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:25.992{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AAA099BC4B7E193D81DC6DB12ADAC,SHA256=94CE358AB3AB9782AFB97C0FC69BFDEEB0DACB255FAF0588A98D96A452309E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:25.479{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB16CB804AEC223A3E0BB7328444DA91,SHA256=6551107D80EA9DD43585A8836E697DD15CA6C981040676CEB76AD0E69789B7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.494{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B186D729E8E5465E307130AF89145F,SHA256=A80997E1BA285F96E3B9DE7601A69887B05ED324935140516EA26C913A55AD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE32F8252E6ED4BDC7745FEB21914BE,SHA256=5AD2D5088CAE88DEEE1CFD9D03274A6F4A4EC31ABBB5107FB572F19CCC52B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:26.031{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90044536C08685A2C871EAE43E83992A,SHA256=44BD67EC87CD39872AC0260155DABB1EE354E66EC418E64DC7EB856E9E4B6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:27.509{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4947B2A3CCD9E31B804605E2CD0A2242,SHA256=11A729BDC2D747231FC3BF11EF722951635401A93F25C24C4471FC6D0AC19514,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:24.941{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51534-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:27.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2716F6A12889C2EE64C5716C3B56779C,SHA256=2C6912DC534A54C29BF6704DC6146B4E7A34D3F6373BFB64ABC72E7C31D00693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:28.846{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7B2DEECC778244E048460A766F32A370,SHA256=168D15FA2FE5B43D816720B7F21D0FEDC68E1A280B705779305B27B5E6C48F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:28.509{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F90DC9858E88D54A19C82546051900,SHA256=49AF32720332CD47F3FA9D44FC7FEE7DE50D83D057D64DB65EA1AF73A1C305CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:28.102{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D94D378233F88D6CAC6369FF639579,SHA256=011E4B78C78DF3F5BDA1E7DEC516188C5FA3B99EF9809FD3F7D6B0802AB3F79E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:25.514{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64390-false10.0.1.12-8000- 13241300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00913343) 13241300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x033d4b59) 13241300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0x6501b359) 13241300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0xc6c61b59) 13241300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00913343) 13241300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x033d4b59) 13241300x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0x6501b359) 13241300x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:49:29.693{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddd-0xc6c61b59) 23542300x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:29.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2714F36D0908B592FC66DF3E5B349D,SHA256=31BAC05AC6111B3DE0B545A89E6D687462344EE51E1B2722DB0096F01E8CB74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:29.112{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A58FD08CB34E1DE5718AEC92DDC5A44,SHA256=843C5E5960DE0FD8A0B333EBC9FCE0765A6454175F9BBD240B3F350F30F8FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.608{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.546{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51751275F7DC838435A79EB84BC0A40C,SHA256=35F55E14AB36DFCAB9F527DBCEDA4760E724544FBC61C8C8AB8D76120D477708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:30.159{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC334A295AC47E206B7EC8423159B62,SHA256=334B3E808BE0436236FF6D1197E3AA69FCD23ECF9134A7424205C458F5746A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E088CA9C17F89A9C6AEEB79F1B2889D4,SHA256=EB31925A2D145EFE513705736FE2708E815EC877EC62CC25A79A829821A1D496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:31.190{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFBD9D97A2C929DCB74B2C1B8496F,SHA256=3248074420BAD6EB657A5BB7BA1ABF965B125CF6CE1ABB32CC9897F6F6C96935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D8D918C4FFB2E34672E1F87A530E6,SHA256=62CB43AB7A738CBAABA84FED1A0527BCDF6BDEB598D91ECA5EB546EA4E6E1411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE32F8252E6ED4BDC7745FEB21914BE,SHA256=5AD2D5088CAE88DEEE1CFD9D03274A6F4A4EC31ABBB5107FB572F19CCC52B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9708F41C655B74F41DA694B6B7E5AC77,SHA256=4A6EE54B1992F96D5138C399241DB0BE99379D5A39FFA6504D304DE251184727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:32.191{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107521E16D44B841A75B93EA836831D5,SHA256=190CAF7D6403FA7AEA35548B5A480B0B9088622D7EE7E8BE76F7CD663C2B256D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:33.607{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3157BBD31236027BC73DD9356DA91E87,SHA256=3885B5874FA7724C2B12BEB0BA44CEC4FD8909333D81F71C10B9DEBA43488148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:33.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9C0C67E87F8BDFA92B192F65290E02,SHA256=FC7212C1F57CF364F7D85452D84DAD37BA2099DBB4436D3D553F8A1C6DF8E2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:33.544{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.381{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64392-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:31.381{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64392-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:30.628{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64391-false10.0.1.12-8000- 354300x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:30.842{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51535-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:34.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848D5DA637B84068E66C89B42BDCAB67,SHA256=D89E7198A8B25DEF8388B66FFAA80673366C6920810ED6B05221ABA0599016A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:34.253{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC217542712A3A9226E1BF47317DF807,SHA256=C5515F9506B48A62B484398BD01830E8AA4C6F5B6D9E4F4DFB39ED37CA90A489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:35.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F122AF0E4F88D3BB24E4096337D4E6C8,SHA256=E7C9D77521BB6B8ADCE1B87DBF82EAD50B09FBA1ED334A1885DAD4B0553EA13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:35.269{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E60BFE99EC8F3272B71D1A7BBA12F,SHA256=A5E891B0F25F26D44030980B2A749A5116D995D2213B4BA930FA4E781F0157B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:32.958{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64393-false10.0.1.12-8089- 23542300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:36.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB07B951CED8A89B954E627B7694F6,SHA256=E1FAB223E5C87E25911A1EFB3C818BA0B3DC65030E345C2814EB0F124661652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:36.284{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D922A92C93C8F0E85F155B0C78867A0,SHA256=4D7A60F39D16CF0E6C50EAEF287FAE1038555E5AFF9982051EFDF8F493083EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:37.726{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6495C709E4A629F01D12EED432AD00DA,SHA256=B1654FD2C0FE11706B3A62EB3B2CC844ADEF5C0A788F5B23BCEC88B2FFA0AC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:37.331{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E7C96E18DF02FCDB0D3EB5F5E9CAAD,SHA256=1891B35CC682890E926B609664E5ACEAB5645185646ACD206301D8450D57BE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:35.643{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64394-false10.0.1.12-8000- 23542300x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:38.362{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B1B4993EA9EC52FB40EC18F9E5B28F,SHA256=8D9A6329A7F511C45E3776A87F6314BEA0AED3DB173839BB3E438037E74DF383,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:35.952{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51536-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:38.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B6C94F85E78AF31CD77F09AAC93412,SHA256=7A2CAB1F2975F53FFBC53FCEB281AA1EF9B188D5E9306AE82BEFADA406757D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:39.409{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F00CA9992A5566F61C226D0EC83BFD,SHA256=8AC9D3BD2CC81DEE718BD4159C0D768E531F3EF7C4B54293D0B06DE255307407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:39.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BC91857DEEB1F922B10C2C6EF94BBC,SHA256=EF8CCB6CBB6E800EEA249FCDFE4037116A188420441E1B8B37C26B1667FDD127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:40.744{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762959E57B406EAAA844B1A7C6ABD96E,SHA256=ADED97BB21119AA21630545EDB4FC90FB8E4AAF94D87252096FC8929513DBDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:40.472{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8471A848559BE9620C8A50989B5229FE,SHA256=A918D6629803D9AD33B0B515A5A1485660B440F0F3324AB59657BA26BE6E6795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:41.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635D94959D36CEF5E4506E1801B4143,SHA256=6F2A3CD89F4A81ABDC04CE32E2EB890E987D73FFAEC43069A58A30DCD43DE344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:41.472{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA82E70B459232BCBD60236B2CB6E8ED,SHA256=4BA575C22FA5083F5DA70DB00F561B4D646B4CD6834224370B81E1A3CB3CC58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:42.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D9DBF2D8D2B75A3582E987E30EB4F7,SHA256=EBC1A0D7AABC92B423EC5CD783235330C44C16E23F141494096E806073C976D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:42.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FD6A83E62E53B7583F743D0690D4,SHA256=5ACCA03B0D4E4B4F5E4824EAF6474D7BD8F153AB692FDB085A545187CDB326D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:43.806{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1488ED48B5985F819325E8FE80DBCA85,SHA256=1604A3B04195F0FF2DBF9DBD033F92381146B3C22FF59A6F1C77C04D50BF30E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:43.519{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2351D2ED033A9E70FA25E54208615993,SHA256=54A8F4E70103A5CC98DE39A24B687DAF67BCF0F377EF536D92C9A616388443BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:41.920{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51537-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:44.534{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE0DAE390FF7510E79FAA9E5C423124,SHA256=214D40B0C52FF561B60A76FF9DDA22F7BB57043CE259034EF6E920DE97C7349C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:41.579{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64395-false10.0.1.12-8000- 23542300x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:45.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03997636F8F64FB336DFACFA49B9B23,SHA256=873B198C7C010A1EA7211F6B9B7EB54F635D22ED0EF56BCE2724CB13C00D449E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:45.005{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D8F5B69CDEE930E3239756FAFC503,SHA256=31A7F129E59BF0D00BF784476E78080EED833794D07F21F7BA7789F6F6A812D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:46.549{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4C0C2D67CFFEC85BDD468878550EA9,SHA256=32B3623363068522D03A23A5C4322848D82B0709476642F405C01EB25AE562C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:46.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8082A775089EC298C6709B52E96797,SHA256=3AB4B068910BE7D28829457DC2E745CFF39D77668CF05BFF6FE0F54D21107025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:47.595{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82FCB0923B92E74D7CBF81120882DF5,SHA256=87FE0DADCB7221AC3D73C1DA7A2B6B461E3F8260A7CAE363016E66FB9E8EC018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:47.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDFD317659921215B5258DA3B3FC8BE,SHA256=28363DF592AAF6134CD8611C9B3291CDD909A266F8F555CAFC02FA50BF279F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:48.675{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B391073888EF4A33A6E47C6FEAD8EE,SHA256=A65A5413434D67118EC8B60D661179B2F7BB0EC433E4A30885D9F08ED5D8CE4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:48.043{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7FF5DF204144F6EA43AE1C621370B,SHA256=61A204118FDA40A41F4D73498FF99EB18BEA6F56A93BC011C709FE34BF47EA98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:46.997{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51538-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:49.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D640777660890EC683A072989E5B1E73,SHA256=B0557D85B4871FF95BBAED314FB92A221403D9C6A052226E16343F1C2E60104B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:47.525{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64396-false10.0.1.12-8000- 23542300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:49.058{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89FA92FAE312A40A194C605D152558,SHA256=1D9FB4E5A8088EED8640C872835EEE4AA7B80E823C3A9602887D23C5237C68BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:50.707{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D8F6FC1583EB45F7E202E347B5F0C7,SHA256=7871A50FCA955794736BE174CA718E2ADDC6EAD015C016833510BA1B73AA8C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:50.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA3053E69A366A5E694B3C38B4426F4,SHA256=8C958FE01797E62B9A4656B9181C6337A839CB7FDEF03EC6D02AADCBC33F5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:51.723{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEA56487CF0C3932ED4826F6245411,SHA256=9B60A63C4025FC1A9DAA2E737FC9617418C4603E91528F73C4D2A1007324E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:51.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4D86F26F8B38EDEEEB9567257D9B4D,SHA256=B97D7F9F69E5F18B3FCCC3B8D66DBF48124DE325CD8ACCDEE2B1C69806FB55DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:52.738{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E1AA544B449AEF28D29F032ACA6B6,SHA256=5CD439877985294FDF54BAEF1B8C12FCC3A78950587CF53457794CA1D76C3D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:52.128{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1EED7766C1E1F0F9141E6A0E8B780B,SHA256=84DF51D33C6387CDAADF725D1111EB8894C38990E4E9DB370E3B1892AFB79F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:53.754{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9599710670AC0B2D65049163A1C54387,SHA256=C83687FD652BC0C84ACC91719C1FB8F1DDEF86B1B2C81E14822E456D9ADB116B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:53.161{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D9CAA5B25533121EF88C60F777A630,SHA256=B7653CACA5C484D06ACCA867B8F53CD9880ABAD69F8849E893855F5B5FFBE224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:53.030{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51539-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:54.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20566ED001C0C28B5F7A822E545EF557,SHA256=108D056669510A288C02EA855480C5866F2B0E7051BD31775D4F5BF532FECEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:54.163{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A915DA724F45E5660E05283463021B62,SHA256=E3B17757E191B90857BE63D242B410824A242E4102A45B208F9BF4A6ECEF62CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:55.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBE95B4B6B318572FE8555F3D49BD82,SHA256=A4E76C107D6E68AD54534FF7CF9AA635F5043328E7F1794639F06816B6CD9430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.862{82A15F94-59D3-6112-3308-00000000E501}32325004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:53.542{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64397-false10.0.1.12-8000- 10341000x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.707{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.708{82A15F94-59D3-6112-3308-00000000E501}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351FD53ABE1D4497BA77E30189A90D29,SHA256=4D37EAC30A5E18C5CC894A1ECD0568B28246419411B39FA1DBEC54A9524AD11A,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:55.193{82A15F94-59D3-6112-3208-00000000E501}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:56.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D67F98A3503A015FC41240FBBF9B30,SHA256=BC2E35214C3341C84213C426CA3820528BA859510C04AB9602C390B88AA49FCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.308{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.310{82A15F94-59D4-6112-3408-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DD87B73021C904CB8F5B1FEA64A0EE,SHA256=62C68A24FE6256F0F37FA543EA263EA1E53763BD79013B80E7BA7A20E37FE00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E3D096B3880F3C96E5FE80AC54F47,SHA256=7C0878A882EDB0CDDBE8297AB45477F1A4A0252BED9FD81DAFDF2D5B11D67D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:56.192{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1D8D918C4FFB2E34672E1F87A530E6,SHA256=62CB43AB7A738CBAABA84FED1A0527BCDF6BDEB598D91ECA5EB546EA4E6E1411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:57.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADDB97A7197EDD563C4A7230F6BBDFB,SHA256=822E2AD313D810D6F9F7C8448875C1A681610F1C5E00E128B04ABB7B811DEE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.976{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.977{82A15F94-59D5-6112-3608-00000000E501}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.460{82A15F94-59D5-6112-3508-00000000E501}3322240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.326{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E3D096B3880F3C96E5FE80AC54F47,SHA256=7C0878A882EDB0CDDBE8297AB45477F1A4A0252BED9FD81DAFDF2D5B11D67D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.292{82A15F94-59D5-6112-3508-00000000E501}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:57.207{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E5CAA9AE020E866F196CB0F6EE5972,SHA256=291F847FFB24D888E84D913305F23E2ED201E572AAB9DD46E7133D4AE8A578D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:58.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023008BA586562269613C08CC8287BE9,SHA256=F916A3F1698A723B16C88A9BA7D25FAE1B643680DEF3EA314F84E76B96584BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.675{82A15F94-59D6-6112-3708-00000000E501}60405624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.528{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.527{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.526{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.525{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.525{82A15F94-59D6-6112-3708-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.229{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15ED1D2D09291CB1569A7B288B4AE18,SHA256=C98CB4E04580B4252AA2C1EFC2B89DEB36181E323148370D710DD9F51EE79893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:58.129{82A15F94-59D5-6112-3608-00000000E501}48845496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:59.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10998C80F8B9A7C1FBFEA9A6DC6AB6B4,SHA256=E069DAD9D85B5F66E6F81CA11ECA11514FBB229907557EF58009DD6342592030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.244{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB71BD2A10E42FC4F1B9F1E5E5AC2DAA,SHA256=47B8EE510DD476A5C15DA5774D2007FFBFDA24B2B9A657ED77FFDAAF6B2E3B11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:49:58.030{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51540-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.128{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.126{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.125{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.124{82A15F94-59D7-6112-3808-00000000E501}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B832C5F2A744F984697A77F3C0B13C6,SHA256=BD4B65B6B322137EDB1053583185AF67D5BF2D6BC8AF638A3EF1412DCCA98190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:00.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688ED9C85AA1979988F00AB614B7E0DC,SHA256=767D8BB85721DD5CCA94165264143E28733C4C39C22BD1F2A8FEBAC1FAEEC51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:00.275{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4605FDC249131DAA7BC0AC91AE1B5C66,SHA256=8185742FAE3380BF77AEB23D77030EC8F01C56A90788FC7D85422AF00DC09A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:00.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDBD36AFC1B80D78A87F7690A26B9807,SHA256=373E3F590A85C9663E71F45E0ECC79DFCB8AA47043582E9CA410F886616FD173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:01.863{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085EAB6BFFB57BFADF56706DD1D389F,SHA256=080F340B4C0AF6BF070425D3073CDF90F2C27BB162A1055A98065AA485A42705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:01.306{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C9F29F5BC846C7EA78F6307F86CB49,SHA256=C947D699712E8663FB326D4589D54DC7D148BA5AECDCC3E2EF575230DB128DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:02.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D457373E81291EF7712A946BDFBB76F4,SHA256=21CBE213C236A361CFB5C6EE27A4E57D595AC7ADE8CA9DFE5FE118FCB1E5798B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:02.324{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D10B7BD30EDC1D3F39A5DEBB83CAE45,SHA256=80000F37352CB4E1B5C0C320E023D7F333A806EE4033FB2B8BE8026A52541D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:02.106{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BD35730958A5406461D72819625DED5,SHA256=60C7BDC99C3A884C646E5A32D488AE36123E6DAEC0FD5F5318F4E5996632C9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:49:59.557{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64398-false10.0.1.12-8000- 23542300x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.910{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.894{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90FB6668434C0C11C528ABCFFB6F842,SHA256=FA90D6AE0C55C21F61E4098E1645C97F95647E5A44B55829ABF4E6E9A9052B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:03.342{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D05236D98524287CDA724D7C724BC0D,SHA256=3BF5F847F20A0D470CAAA860AF68EBC066CB70D59839030ACD58DF3F1837A6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:04.941{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351BCE467C300BD1B4E3D87B8301FEBD,SHA256=721DC7FFCE53D4B71110C1F1FE353E14D9F23534A5427D86061F238C553DCD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:04.373{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126B0D0D0BB1D699450A705CC8B82026,SHA256=FA56F661DB48392897DD35B590F9542333E35F38B54398BB215EDA1D58A18A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:05.957{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E593A6062CFF73D3C1E5A2E9F9F0C0E,SHA256=B38418618B568FC8EDFCEB03CE5B592901522D05F426774F5E32C0FF05AB2561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:05.388{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0A7B1B93ACD10ADA45E2909A3C19D4,SHA256=728E922C975BB6B3B1870104A68DEDD04C5AC6A843D8251A53187CB4A803E3D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.555{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.555{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:06.402{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAA43CA1A2A486CCFE3145860B6E005,SHA256=96A6999EA83C3977F85C4CDF4D8D565DE5F19F8B48597D29A0F3E9381E61F89E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.874{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51542-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:03.671{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51541-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:07.439{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01839AEB4D05D425226842C1F577425,SHA256=2D3346D56728AF6034927FE55E696FDCFA096E2707DDCA6B27C93FEBF323D84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:07.003{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC81BFF7CEC483BD7DD0897604F5323,SHA256=D1958EDF8A7C7A4945B759EF49902E461DE9E1383C490E3D5EEF87A0E908684A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:08.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5537D3465ADDE1027D0A208450063A66,SHA256=92B44A8177F7D4577647F101EF8023E5E85EDEDFCFE527A7DEDBCB2802279B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:08.454{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45AB8077EB9AFBD0A729DECE6B45C6A3,SHA256=A46C1D5D106E4490BF431578830BCA0A4E7421305BA2707FFC363D8157B88E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:08.113{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27392A52ABD41F7A364F9A08458A4A6,SHA256=E7E05412172B970B2F206118612E5A46FEAD54C4B90B94BA8E51527CFDC663B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:05.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64399-false10.0.1.12-8000- 23542300x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:09.500{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656FF3961E3E2C30EDC298A07F0005AC,SHA256=341251E36687962BD3DB550ED315E09000B2D20A57E27DF28CDB35A8D80AB4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:09.118{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124DA51564B752F610297A27F91E948,SHA256=0AC1DAD20C2139A505478AED085955967039AA1C11970D119E03C186BCB04AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:10.506{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFB4040D004F1263DE87184716EE2BB,SHA256=5BFC8D351984A1E8472257C294A714C66494FDC202D604E3EA18EFB673B4B554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:10.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91E866371F1F60CAC0E81120A37167A,SHA256=4D4CBAEB412B6F4F1E1A74487D39E46F918AE9DAE85CEBCEB152D4E7867695C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:11.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2172481C347934799D74ADE61D1C2985,SHA256=09338679A23ECAEE58A3FD7593485F314F281F736C386EF3793ABA17B9534C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:11.258{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108039D12523EDC29E04A95D8C1CAA96,SHA256=D86120C959D7BA29A23B17D95AC92BD692B786FC7117414EAE45A0F79222F0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:08.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51543-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.589{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF91dade.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:12.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE74583F7B7C8EAD8690D3CA551588FE,SHA256=B9B3081D98CEE14F7A4FC3E0D280E832EB8807DEB4D9248350A7353E16C3B0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:12.274{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D05C3CBF6042F6B09A595F76AB88E02,SHA256=38C57917330C390A52942D1529E5C00F132584DEA72BB3CC2A4D189ED8A7F23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:13.573{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DA85C8CFD16F7971E1CFCD042233C,SHA256=CD1A297FA6169A05538D889740849D14DF9CFEF9B64447BD12DE43EFA4DB155C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.899{82855F7C-59E5-6112-AA06-00000000E601}16563736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.649{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.650{82855F7C-59E5-6112-AA06-00000000E601}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:13.290{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03C98BBD98146C0CF74AA0506CDF9A4,SHA256=F58AC5C76A60E4265F499DF28FB6EBE4026487F9A29607CD2ADA6731FB1DB76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:10.678{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64400-false10.0.1.12-8000- 10341000x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.821{82855F7C-59E6-6112-AC06-00000000E601}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.805{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF4CCD03D8C1DBBAB5B179F3DA677B08,SHA256=A4EBE2D1A7A34248F6A9E12EF05FC22DB3A6D24BBDEE03080966D3EC883E0657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04103D3C91B8A73476FF004977CB6932,SHA256=6D477D7ED87485A2D00AD585734C3989A301C354AE7F569ADB0AD24ECFFC6C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C04D212E250E85944C43DEC11946E67,SHA256=7BC9FD3A8FC71C30DC55580682F35C0B1EC88271473F3499300BC2C5B08D04A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.461{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD43619AE29494ABED9886B14C55BCA,SHA256=DB503CAC6B2C889E62DC022442F30FC262AF2032E53B104C6B4B87CD24D0941F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:14.588{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107677BF35FE1D90F9B093EC8B22A842,SHA256=6ABA22455D87967D75F36BF9B9C39B60804E7B7E39C975887EA3EBD831AA41AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.149{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.150{82855F7C-59E6-6112-AB06-00000000E601}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:15.642{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9356F0608F16C081BD7E1C087B08A308,SHA256=9C7E025AB217846CD065F9862AE2A4B2BAF75F85381E5109A159A1E9C946EAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.930{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.931{82855F7C-59E7-6112-AD06-00000000E601}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04103D3C91B8A73476FF004977CB6932,SHA256=6D477D7ED87485A2D00AD585734C3989A301C354AE7F569ADB0AD24ECFFC6C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:15.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00CED057FE4C6D4AFD2BC7D42AFF88,SHA256=3A143AC697376E09137AC97C57B709D860F2BF390A1DFF2AB7C4E7C759141143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FC2722216DCE40440A6C3E848A0149,SHA256=E2AB9B21362D44FBDA4A4398BBC618BA2D62E2A440AF8B013C88EEB88A193F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.946{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B66CCDCF141B1A3BD136C6B69DF07682,SHA256=D98B1208CDECC4D95DAD6E854A37E658F6F9EA15A5EF5BD7A0BF12C8FC6D2BD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.711{82855F7C-59E8-6112-AE06-00000000E601}27403804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.571{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.573{82855F7C-59E8-6112-AE06-00000000E601}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.493{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F84F64E6C921912E0235F27F11D371,SHA256=531BA32FA3BCF25304854F65D2F5EC799E720E47850A6E426240735ECF4D1C69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:16.102{82855F7C-59E7-6112-AD06-00000000E601}27081848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.858{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.843{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.790{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.790{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.743{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.743{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.658{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473F721AD741238FC314A56943C5BEA8,SHA256=87B8131166595104BA079BB32E5140508AA5FFD9C720ED9CA991D0B8AD6F0686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.868{82855F7C-59E9-6112-B006-00000000E601}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.571{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE996C5833075FBB1976FC1A3C57CD18,SHA256=E4DC67383E39C31A9E97F482E0882ACD15C2C5D02D9B72C01EAAFC04D0BC81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.188{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.126{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.126{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:50:17.123{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6944.18.59231107C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:50:17.123{82A15F94-3D8B-6112-CA04-00000000E501}6944\chrome.6944.18.59231107C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.399{82855F7C-59E9-6112-AF06-00000000E601}22162984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:14.972{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51544-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.196{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:17.197{82855F7C-59E9-6112-AF06-00000000E601}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:18.602{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006601ECDC450EC86644F583C78492A,SHA256=E0669F005B448ECE8C0133EAA2148B827ADA84A438401CD305E3966C5C9F668D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:18.673{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8022476633900B079BD54AD5AC165,SHA256=026B5A8E7B98E18F415411FE091FEC23FD3E610A5332F221025C8530B1B14295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:18.227{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEBCB9246298CDD94418DFBB6B51E63,SHA256=85D7ACF1D7EDEFDD79A86FF38EDD15AA3403D6119E679F2959D81B3C0CF7B522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:19.633{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78887BC245BF2C12FBA8AD4280CD6B93,SHA256=C5B69D5129A6916820AC005FDEB08B0F818F4739CBA2134DDA321A29393E252C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.674{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618AE0D7EA75A5983C41D01C7013BC1C,SHA256=C8AFB21EB4505B0CB3FBE17D49038A9836800DDC0A68CCBFE1735CF1858270E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.243{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64405-false192.229.233.50-443https 354300x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.226{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57850- 354300x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.223{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64404-false104.244.43.131-443https 354300x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.214{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local59005- 354300x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.143{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local65535- 354300x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:17.142{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local50600- 354300x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.644{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64402-false104.244.42.193-443https 354300x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:16.439{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64401-false10.0.1.12-8000- 10341000x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:19.043{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:20.649{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CDB10C638E2519D51FEC057266022D,SHA256=B64F7F8662EF35259B693A85F04208CA2A933A75A588A69F24F32F107EC85AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1504F758F97C6EDDFA2C3307E2EFF4E0,SHA256=E904BD08C167AB39F42013AAD22BF60F3969164A0C94E96B3185C41D5F87DF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.967{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A2E145DADF2DCD3D58E8C0ED650C9966,SHA256=D7BE96C88182BF2093285E92DCAD6DE82667ED67E8FFF98D58FD0E82E502FAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3C85BCB9C70CAFBA822E1D6BC105A85,SHA256=7D8B15E8608442D877F436E4C25616FF6A0753C0F488859920D54342C7C45000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C898982A0FA545588297FE55F26C26F0,SHA256=9D899DC51823C8DF43881D40BB73495142DA8D82AFA9477A4005A128A4E1DC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=356A53F152027532326C4C628AA04AA1,SHA256=A90E853BE619ED948EFF2668830810E4E18836CF89A1C92B3BBFE56BEB4042E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.883{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0C837A5B6254BF3AC181381735CEC4A9,SHA256=606179C2CAFE0ABDFDBC1E5FA60B8FEA482B700231E1F642FA45573E60DF0DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B094E9FCEF5E88297F4ED0F098A8B8C,SHA256=0664FF9FF7DD66AA25537B05369E7302B30728B39609A1775A423D0F4CC90C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.824{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E85FF3392FF12248FBA3E776F962DC9C,SHA256=389B23D56C8644A97F394F6AF83AD070493EAB54D1A4E31476B61153F70983A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:20.704{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B63554EC096E7167CC64A33A471FE50,SHA256=E3D6CFCC2794E623CD42EDC582285189FB262989B7CF2168A86F878130D0763A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:21.727{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF787026F5A03F9BBDF2ED7099D17430,SHA256=FDBA688BE2DF3DA6BCF0974FFF6AF4E61A9D19F17828524561BAE038C892E9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.799{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EFDE8790E26D9D562DD2381A559971,SHA256=9A1F62B0FD7F63E2772B4ED6E5BA07F5218F26C5032735138601845F099949D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e1) 13241300x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{49dcdfda-5f3f-4de0-9a45-6ee94382bda9}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2330|Name=New RDP Port 2330| 10341000x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.584{82A15F94-3494-6112-1500-00000000E501}1236908C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+dbc2|c:\windows\system32\mpssvc.dll+3014e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=626E5FCFB2A88459BFE0A79BD6E9489B,SHA256=EE91FF9745B1C4C9A71B8304EE2A1837EAC763834FA2AB6C82B929C76E200B7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.384{82A15F94-3494-6112-1600-00000000E501}12884316C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+a8874|C:\Windows\system32\wbem\wbemcore.dll+634f0|C:\Windows\system32\wbem\wbemcore.dll+f474|C:\Windows\system32\wbem\wbemcore.dll+b6f1e|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.366{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.366{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-59ED-6112-3908-00000000E501}1996C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.346{82A15F94-3491-6112-0B00-00000000E501}6326204C:\Windows\system32\lsass.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.331{82A15F94-3494-6112-1400-00000000E501}968172C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.230{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9E32AFCC589793336B4C1E24DB775A3,SHA256=70CE659F196108FA0801AE935B952AEE8907249010891576EC6D24434713A540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.230{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8DB3E24E62550D6D1273545C256465E0,SHA256=57B0F3B9612982D4757BCDAB7EBEE9CC97ACD5ED8C54E89081CB28283F862764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.215{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BF4F542BD2B1735BEA014662BCA0F91,SHA256=39BD5433F6A1E83F0532F79211D517347A4F61FE0E2FB84F323FFFBA615504CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AF3F40D80049993AA80EFFF1A5E24E3,SHA256=181C9F10FDF006C56D537AF5CE6F00EF7AC0EA72558B4097B663537F1123B3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.168{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F127BC971E7620ACBC7F1D87B8D1A3B,SHA256=2577D9D4AFF59935863DFD7793BE341174C07123AA313822FC3CA395D5CB10B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.168{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=433D8DE7B15E8E44E351219B17998505,SHA256=142E0BB7B08264F58CC3202E0ECB346CFF0A11BF1EAE8244503A5FC7728EC77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.114{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38EAE5E442CFA07E12FCD37CF722635C,SHA256=A0718C4773406B16F3F62BE62053EA81555F86A8EC7B89DE8942E3BF9CB8290B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.099{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8EC224C65CA32C5CC28B53093A4D1A6E,SHA256=3FF71A1FB00923480AFB847E04D7B7A4404C53B87B87450662AF36F9ADA22E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F1888545E15EB463ED12133799B9684,SHA256=05589CF97DB71D613F63BF3AD7EB5D065E2E26B3F806031355D7421807EAF7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.814{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3CD55D213C6A10925497B18B7E4B7D,SHA256=138663FDE2CB816154E39F46D68D125CBF73DDBC4FEC05D99A23411AEF4FFF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:22.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32EE015F39D8F00832CF0A1DB9BDBFD,SHA256=53FF1C12589BAEE922C1F61DD47D50B3122C51E63150360830BCA5CB4AE1054B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:19.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51545-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.599{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B08D4DAA665EAEDF3E02116FE103DD26,SHA256=F7FFC44832B9DF224FDDAE36D9EB215129EA989EF57092DCC4F4A5F570DBDE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65459C9D564697FF84DBA68E4B91CA43,SHA256=B0F3938D4341A08B8DD4AEA6D571BB5206576F0C8EC6A09C2C6A0A9BCF81EB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:22.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EBCE76450A1D41A6A854130DA2D6EAB,SHA256=D79E46FE3F50CD1BC32701F49490A3C4BF97FF0236176BB2D9591176AB95F034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:23.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54921DB62D53BD12136400D342CE275,SHA256=CE17097E00DE44EE0359C5BE8AABC06AAAC361A1A13648B1C77303D5159AC3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:23.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749540CD3CD771A0102F6EA7E247CA28,SHA256=E700E8FC9EEBBD2E64F3903FEADFF13F955F9702E8BD7C2B87CE161174DD5624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:24.844{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DE2F7E2A78C9297F393BEA1962F078,SHA256=4D17803C8BB5FC5E842491692546C9227D12E3FAD2E368D2F2E9F8EB7E5B1B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:24.821{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBDD8302937F202276218E1ABD88616,SHA256=3E5F84D352AA861114A862C11A0921F74A611C5E8F369FAAF6A40799AE477C73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:21.600{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64406-false10.0.1.12-8000- 23542300x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:25.861{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9A1403B270820910A03A43FC5B8DAC,SHA256=97A2EEEA6968111F33778C3382F8DFB97C2533B8B52BF8E9E03E08937791F31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:25.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98524D8895745E244CE72078F565C3C,SHA256=A08ED341292F4FC570823EB65CC189FCC6F21F51BBA636178BD9921740EB3BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:26.852{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3286BA4176F543C497841B95CF48E3B1,SHA256=E928B8D72DD219404CF431C1BCB30A577D6689AF49335E93B66C9C1F3330FFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:26.879{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CBFE8301DA7B6E555BAA7B54FC744C,SHA256=C436B0E9B61B8461685350CF87F0005010ECA83AA599040C77F9399BCDA0B5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:27.930{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E3CC8B052D195B35AED98C356E53D4,SHA256=CC57BCAB295D6E47C3B18A145F22AAF0CA5F7E8A29597EE39836167CC7889CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:27.910{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4728FE4D9FE13F1494FBB786AD5E7DE9,SHA256=4BF48541E7B699795E9A3B45EE24C6943EFBDEEC25E2FED5A535B306EF0EBFD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:25.925{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51546-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:28.935{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92C2A617D36A0B86DCD62EC53F86366,SHA256=B40969EADB033E7813981794E0F8501736D3B4F10EFD37ECF53ADEADDA02FC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:28.911{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE52E639EB1A9BD2E59A5886FF570CA,SHA256=202F615404A69D0F42116D60EA0909AA4FF283BE4F91709583AC75CA34E3F80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:29.926{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1633957A35B30483E1D73F295FD4DFA5,SHA256=E6DC4D46C21A4D2E6ADDD839E5511612CAFEBFE9CBBAD7C612F847529F313844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:30.942{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95488E6D34E084813EB82C3A738C5711,SHA256=23FCF72DD910B5470D60921C3D978D59750C7D141181D7A56FF9A44DB3FDB6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:30.013{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B8A0077A0856734587ACBC93F0EC93,SHA256=CCB46D8AEA0283FDD4C352741AF5B31E2B22382425466619A7CC3FAE8C43DFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:27.529{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64407-false10.0.1.12-8000- 23542300x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:31.044{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC5B4209D9A8426738E2BEEBD245124,SHA256=9D7ECC69B509D934988501B98D7AFC76F9DA1630E3EDD81B8E527A42BCFAB60E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:30.961{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51547-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:32.138{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E9549A1520EE9B58340932BEBDBD6,SHA256=2685A226622DE1F7DE5ED4CAC7B561AEEF48287228EA20A50CDBD9EE0C8B24E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB002C1788C89DB8D2842681B4313602,SHA256=CFB349F9FFBAD6C2EA122428BF2467D57AC70F6133EE2BA53C015695C2A08A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65459C9D564697FF84DBA68E4B91CA43,SHA256=B0F3938D4341A08B8DD4AEA6D571BB5206576F0C8EC6A09C2C6A0A9BCF81EB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.778{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.026{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385A1BBFD701B7D52BEDCC2F2D58DF,SHA256=0086BABEFCF74744CA342C0C61170479EA23DB80ACA75F3AFBB14BEAF1038288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:33.154{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B54BB2CC3EB17BAAA492D4E56A25987,SHA256=01F9B7590B7F4190D96D23B8FE0B19EF3F7BEC3C0C85AC9F4C9703B78EC17723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.577{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:31.392{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64408-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:31.392{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64408-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B16DA19DB2491A304431CDF5E8668C,SHA256=B7A2191DF508E536FFE265FDB432B6EC3AAA4C70DD81FFF9C09BAD703A4E01EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:34.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E380C30F439D214787994895A6620E4E,SHA256=CFD9AAA5661D1D67523C16EBEB0D81F63140C6E8478CFC22B76EB1DC54040D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:34.059{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8887CBD2DDEBBE1A02F47B3D2B78F16,SHA256=E4663BCA1AB00568539B51FB026736CA8E682D2CBA46045C65E94BB1F282DE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:35.216{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE119DC0A52513E53C2622378F00F5D5,SHA256=381CDE07108C1E8CD4A3EC171059D39BFFFC896BE204B7E471545892C4904C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4FC837202165CCD4B5F67D4F4BA04F94,SHA256=21908AD7A92F2A14BBDBD74F778B3AE4F54E9AD0F4BF172D330E6E6D617E4409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=597560EBD2CFEF600A3152477A5EA7AD,SHA256=26FF454367ABD830A1C2A41D78E96410FEE1CAE2C226EF23F348C43EE4C94657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=CF09B80BEAE606E78FDA3BF3A8C7F275,SHA256=36D6A6844BA8EC296E34D95DC874BB8F1F4C3AB389A090D9E1E465A06A520DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2811E2EB41F3C8F80C10AC06DD6ADBC0,SHA256=A55D5DBA7F55F6F184499493784FCFEA76D16B54368560708E31BF2B6EEFE283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2D4DE304F21D36EFA5ACFD62F514DF40,SHA256=3BCBAF47CF9ABEA808C2F0774900F688877F6BC5059BD64593ABE8E58F9F188F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6513438630523B3CD7548B61D4359CF2,SHA256=24B06D9FF28E23EACC7F36C4D9B8996B475EF3FE398178AE15852BCA776291B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.922{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=7E5B74949EA4F0ADBEAA1DC4B0AF8377,SHA256=4B195361A1D7F04A81AF4F722F5C4DD0AD13E6F2950DC496EBDEE1D28DD37D28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:33.544{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64410-false10.0.1.12-8000- 354300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:32.991{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64409-false10.0.1.12-8089- 23542300x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:35.092{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56C27BD01753BD4459E588571A49B01,SHA256=E3BCDBD81B196C0CF6AC0FDF554B439A543B65E1461F25A1D7C6947ADB5D783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:36.248{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E16705B64E379892C0B267130C18F,SHA256=EAD40B51657BA44A9115C0E1CCF585AA0ED71A8047AA6A6F31F8D9D7351AD7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:36.106{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6E9AA6D08ACB48AA3E0EF9DD1336ED,SHA256=68C41D977A5C8A6C64E6248B76586FA46A4D0719123248763440BBE42A3E7CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:37.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54887912AD764817D124F53761B91012,SHA256=CCBB4B36BE9744DFCB68BAA29F375742B6F4FC4A1933E20B68C3333A400AB0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:37.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A27B48EDA3741DECFB724D1A81B1CF,SHA256=5F6AAA8A64CDDE5ABC8ECF7388F66BC51DDCEDA8512E51B89FFA280C17372B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:38.294{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB218C6FC126E057C7AD7D91DA5774A4,SHA256=35B54B684F6EA9DD0A32124260EB448A26CB7876A25D52588BA7F8C70A4D0DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:38.122{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5497D7F662686EF7942D75FD43BA8721,SHA256=CDD686E29F35CD61BC1F9B4B350541CD6C60A83B9F14BEA43AA96B66F8D5BB0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:36.023{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51548-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:39.373{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66271CAD0B34361815CEED71A4E9A788,SHA256=7F5F7D2C3510C792B3DE97B4515827EDD427D21A435A4E44731D2DA8D742CA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:39.136{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB19E9929AAEE34D9A186768F224045,SHA256=6635CDC27D6A52BC93A389D2B2D1DB4259D4BF6D101EE53B6EA068FB6F399353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:40.388{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089E6A1C57DC3C28A6DE6C944E7E8F2A,SHA256=697A4687052561455E14D9B3D6DDB813C1D073DA012A426C7640C9ED425FB509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:40.154{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1891C29EEC854704D317BF69AE6FC2,SHA256=FC315A1E892F11AE0775B50E0FB9EF65FEA57FE6B52ED403724C954D431742A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:41.404{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF604BD9CAC9AC38D74898BAB6F2532A,SHA256=4C03206991DD766BE5A9BAA78A941C826FC9EF7F616D2BC1DFF2060686F9F48B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:39.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64411-false10.0.1.12-8000- 23542300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:41.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAB05692471F7AAB35A678809A84CC8,SHA256=6EDC9219AD5867DC0B69E01B6EB72957CEDF31B13246EB85E7CD984C25977AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:42.419{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6344E4386DAA58472BD6ABFE3028669,SHA256=D438840BAFECF9296C4AAC90A21EFBBC3301D3A4F4C908C9D6AFC2FC9335179F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:42.204{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94CAF76E12778F3E4C96DFD4820D34E,SHA256=11D23B455A7A5B7B7A8ECC197CA586D4B3A5348773A8C327377F5C58D42BA13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:43.435{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3103FE87DAAE13FC169143D8EDB20C,SHA256=04BD125F0F8EE2C6DADBF78F073CBD70FCE49618FEA9304F8D8DB2283EE5698F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:43.252{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE8AA30CA233901F12E75504DDF9E5D,SHA256=2C9FBC01660DD94420137CC958225A2BB9EECE8DADD9D0BFF9A3D1C8464FA787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:44.451{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385ADBDB96F119EF4703F2153D76A8EB,SHA256=EC170BEF19F2577EA983BDF26EE4F4251238334B44EDC0B6D142525E85044BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:44.271{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE50FFC80AA0A6E5F75DA02AEB9F306,SHA256=1B102ED115216DB1C92E299BB9ACA04B3160C1726CF8D6A88995DD8385AEFD93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:41.836{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51549-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:45.452{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50386BF04C1C410910E558C9BC2BC033,SHA256=C4CD2904638F30E92B62A1A938994995BE4C79ABDAF5BAA11220D35DAFC9C80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:45.302{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7568C1A7C1FA0615F73C803BFBE87D,SHA256=A26CF884D5352C6C020EEB0FE9076F7BB6B65D18350EBF0EA04A0D87E2E1F080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:46.318{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1579C3D63DD652303744FBB664A4BE,SHA256=A2ADAA0C441924C91715B0B370C47384A3C1581892238036791E974729B9FEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:46.471{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9868FBE2AC676BD92B303D7089628B5C,SHA256=E858E9793B6BA2FD4FE640853EE37FD7B5DEF41D874E2130B0C194F0DE98EADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:47.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F89F6AB074A9ADF07A681CEFEB156C,SHA256=4F758C2B4AD5BED1D9A031A143606B5604E9DFBB24CBED8F8665AA5BC80EDC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:47.351{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5311A8B63037B81DC6C50FB0BD72162A,SHA256=96D1F17A7EB1F6F2B3C10753D0A4060E9B04A64D74076C5A03363E259CA05EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:44.637{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64412-false10.0.1.12-8000- 23542300x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:48.529{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8A5F2CCBC9AA5A972F9722651CBE76,SHA256=72C9E1683389349B9C1949DB8CC8BC9F00E30DCBCC7C056ADD477F996A327260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:48.370{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DD9FB738E23BD6C5FD5ED4AC0FB98F,SHA256=0C09DE0543BCE9855172191CC4C2531E82BFD99B198F4B6286957DF4F17EB5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:49.562{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E573142B47E5CCEA266FFA1F45E696,SHA256=F855875B7A690CB0D34CBF461C82E68FA995B4EC13D3188F52B22F7079FDD8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:49.386{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7393DCBD7C8917057140412170E3D5C2,SHA256=6327AB7DF34761902AE5DC8F5C6D9F9243447ACAF875E48E6BB6C669A49541E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:47.037{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51550-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:50.577{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE8F50D8B80E73104F506A147544C7,SHA256=C4255C60139BD962116E52FC1C297BFD135ED83346A62478BFE75E94978410B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCAEA85FACBDAE0965C4884024225BA,SHA256=5D429C1862131C4B773D1035C24D6C0BE01A25FA3CB6745DEE2450CD8D2CFDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF926db7.TMPMD5=98D337AE5290E897B55C45A1E233320E,SHA256=AF7E2A4CE72342DD3A7EAE18801CDB1C6819994A4573C77DB257BDABE8CE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_72a46034-0694-4bbf-811d-18401756159a_Untitled2.ps12021-08-10 10:50:50.186 11241100x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps12021-08-10 08:52:49.598 23542300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.186{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps1MD5=D184347490C1D817E7F1FCC641863924,SHA256=C871A3D5D4DD6556C7D6F532FD313023B15DB2B858AED8F5AAAEBF683E3A4E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:51.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE3520188BB36EF85C2F0AB721E4B70,SHA256=3ACFCA1BC62D077E721ECE3D62006C61ACBD261F7B02BA68BDDB3C5EEF09173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:51.593{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6816F08E2967874E05CC0D1CE1BB8,SHA256=4DB810FCE31A8CF7DE0EA8DED509C81DF508A3ED2ADCD5FD02D11B5BDF76A11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:52.486{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7301169101D6FC3D18FE0CE3CBB0E7,SHA256=C1CADB5DF2912A20CAF1CB8C8996C96CF3740045C45F32B1A51604CCD07DD868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:52.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62712A0C5CD551A603B0695B593EE945,SHA256=F43472EADF42559F590AF234CA604DDA698EE0DE9439A0042E421E1E1E21EB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:53.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917C1D41A8BCF96184BB00F36B3C51CE,SHA256=CC4BD51D6A92988FEF3181E14413D9C5F09A391A859774CA41B193A967D70D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:53.517{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFCF6B67958F98F72AEC3970278E7F8,SHA256=8BBDEA0E24E77A6357041A265AD67E35779B9B7DC5FEB6F443614E3CE41BF5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:50.621{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64413-false10.0.1.12-8000- 354300x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:52.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51551-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:54.624{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A59EDCF6521170DBEF74B706451433,SHA256=EB5529D0FED56167324B92FF08FF4990E1037C6D9EC781D3841B164642F8C654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:54.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA72B51030E6FCC15C53101B3F339FD,SHA256=93C30D362B16957D428B255903E38A20F32B1679A4A60224BA4978631D259ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:55.671{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78842C4FF8E9F26FBF6AC61EDA3F0A22,SHA256=55D3E98B6D64036701542CDD22ED0B07016FD863EF22C9C3621B436816820F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C811139FE7C7EF03B6A0D5513AB88351,SHA256=9393DEA462799BBA61614B37268E86A6FE35B70F2DD4E3BB9FD808179B9F03D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F61C060F52E9C208076D3D46E6729F74,SHA256=FC4FA26445B41DBC14AE1E84B2DD2B6BC4A068440FE71BAC4302457A5738E1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=B5310E9602B08F6B6071058A5459BEF1,SHA256=6C941A1D17B14BD4E58D9FAEFD7EC12E2895166D325A2AB47AFB753122F7169D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=AD96C3FE482933F31F8536A178EBBA17,SHA256=3EB2E1599A1A4D839B01FED659FB0985E2A43DD990AFD8CE9E0C68A297416478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=8C5847932D76C66CC953807C32623F69,SHA256=F18A88486A28F75368EA0A50E54D9A87FD1257DF0676E90EB8114FDD4CB69F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BC02EFC1646236459BBA936290C70F23,SHA256=A3838151AF718EC1584DC256244F4D15D175EF4D7F9B2C89383BA4EC71B59DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.985{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=001F91B2D432F5C4CAD9669C2C31E52E,SHA256=23C635EFC49A74AF24DAEF42CA983E74DA3A407F92D1C04828D438BAA760634C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.954{82A15F94-5A0F-6112-3B08-00000000E501}49967132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A0F-6112-3B08-00000000E501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A0F-6112-3B08-00000000E501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.770{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A0F-6112-3B08-00000000E501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.772{82A15F94-5A0F-6112-3B08-00000000E501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98442556ED1A71D0FD731188DB05966,SHA256=7115DFB6072ACCB4424885BDA17F1305F4B4F6F82DB33682BF959B35945D83F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A0F-6112-3A08-00000000E501}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A0F-6112-3A08-00000000E501}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.201{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A0F-6112-3A08-00000000E501}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:55.202{82A15F94-5A0F-6112-3A08-00000000E501}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:56.687{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D60875A9097B4E3604C6CC2B8FE1B7,SHA256=07F9A00BCB33147B7DA4FF8AA47756C58CB3D170764F4D910D3042B0462369F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7876703BC8E07C934185298D70F72E68,SHA256=F7CD64CBC49193C137D05189C426B7B63096A050A4D1C7C6466EA0B769EA74A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.353{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A10-6112-3C08-00000000E501}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.350{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.350{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.350{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A10-6112-3C08-00000000E501}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.350{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A10-6112-3C08-00000000E501}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.349{82A15F94-5A10-6112-3C08-00000000E501}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.201{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FED1F771860762D5E99EB563652BCA0,SHA256=88381CF9816C70BD74FE8DA58FA1CD532664ABCED5472989DE6758C1E58021E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.201{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB002C1788C89DB8D2842681B4313602,SHA256=CFB349F9FFBAD6C2EA122428BF2467D57AC70F6133EE2BA53C015695C2A08A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:57.702{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239E092E6DAEC1BAEB44A185BED306A8,SHA256=7782ED27C3D7D2D9ADBD47C00178FE0484C6AF41012082E7DDA3FAE291B53C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A11-6112-3E08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A11-6112-3E08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A11-6112-3E08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.987{82A15F94-5A11-6112-3E08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.555{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2683136D7372C374D5485BB58B67F03,SHA256=06B7D5627681C3341881F2B7EB59F5D8A08DBE0A099E7CF6153BDDD465D8FE93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.518{82A15F94-5A11-6112-3D08-00000000E501}32606788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.352{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FED1F771860762D5E99EB563652BCA0,SHA256=88381CF9816C70BD74FE8DA58FA1CD532664ABCED5472989DE6758C1E58021E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A11-6112-3D08-00000000E501}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A11-6112-3D08-00000000E501}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.317{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A11-6112-3D08-00000000E501}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:57.318{82A15F94-5A11-6112-3D08-00000000E501}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:58.718{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A11A87A6F1312B09764CED5C4DE16EA,SHA256=45D9069D54B6E1334F61528A2765312B98403DECDD637B3D4C20DDDB4DDFFCBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.886{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.833{82A15F94-5A12-6112-3F08-00000000E501}54964552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A12-6112-3F08-00000000E501}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A12-6112-3F08-00000000E501}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A12-6112-3F08-00000000E501}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.671{82A15F94-5A12-6112-3F08-00000000E501}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.586{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2119ABB33D5F68DDBE9F1B17E24E3AB2,SHA256=84934A07FEE5607CDEE397C6E0E928FB231DCFA315FD202EBE963B81F279A269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.155{82A15F94-5A11-6112-3E08-00000000E501}34842240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:59.765{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC2B102DF2D777FC8303C6D095CFD3F,SHA256=F950C12042B34DAFDD670014ADD8F5DB93FD9B6AE82B9913D9B29A596C1D216A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.602{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FEBE9D5ABA56514DF44B025F5D21F7,SHA256=D6CC6519C0DD42FCAA1EFAB2B2118B35F31CB98EB28CD33877BE4EAB37EDE32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.353{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A13-6112-4008-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.351{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A13-6112-4008-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.350{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A13-6112-4008-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.349{82A15F94-5A13-6112-4008-00000000E501}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:56.621{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64414-false10.0.1.12-8000- 23542300x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:59.017{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=607DC6B7FD909540B63F53B6FEA43967,SHA256=0D62D6DF192BCE710DD9BAF6B1E3F9EB75FBBF1331FEAF72D01FF4DAFC8C3243,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:00.886{82A15F94-3494-6112-1600-00000000E501}12883532C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:00.886{82A15F94-3494-6112-1600-00000000E501}12883532C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:00.617{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC6D65F11B07A1F28DB3294DC45B77,SHA256=87932524F17A168C58B99BA9907A5E6F833F3E841DE8F9DE0E0D39A532495464,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:50:58.916{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51552-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:00.780{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2318C6EF9768177955D0758ACD6936C,SHA256=A8D38CDA1EB80D622BE4F55830A37C64F4B432D57B800F2853A9E2286427F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:00.386{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70BAA3DB04D04E60545B7DFF6312464D,SHA256=60CF1FF3C139F8608DF8DB00F09D5DF2FC3F70606A79AE23EF3C889440FF0D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.323{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64415-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:50:58.323{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64415-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:01.632{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566E4EC288D71778C4C7A44CD09E1D62,SHA256=FF9EEAEEF5C261F10D1D38067AC2ECAA59BDF2F2AFEDF451AC03C15B96E55372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:01.874{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F5015BD7B72D5F1C15ECE8C070A51A,SHA256=84F3C25D003420681AD0558AFFB3617962E1BBC0C07846D02443411C0B7342F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:02.651{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3722C5083A86969FB8DFB502C88F37E,SHA256=D83E8BBA3944DD08193A766E19BE9CF788F7C5C40EEE76DD24C81124F4850F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:02.890{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6A058D7B4A5906484E3DEEB3CED38F,SHA256=5349E40C849F478A61E1A67DCBB2B6E9BAC42011F6BDE61F55C6FC8AE6DA6823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:02.117{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=74F7B2D02DDC12FA286B665D093FDD53,SHA256=88560F9671412B947FAF8034D54D9DF3D655C5D2B1C7093715E4946FDBB53103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:03.937{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:03.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4606E64BE4DC8BD7F061F39025680E9,SHA256=89F2BA3C6EDFFB5B5BC2B34CB6CE502FC312929D5A3F2B2FB054EAA04690F01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:03.685{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98084C9905DA0985887BAA08D4CEFEEF,SHA256=5250735927034A2F11CAA9C42444C901C9CF71F5896F7DA787EB6D3F0DF0F9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:04.983{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477BD5A283C52EA4BB1375E1BE87E8D,SHA256=331985A8A6457BF2CE41F51CB4DC0C651F8139CD040BB9DADD2C82231475C656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:04.717{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93DD3822D8F7AC529F336006565C94,SHA256=FC00523DCA55E08C7C0E23B08D780E754CE5BF813481D7AAD4D6A64C69B221E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:05.751{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B9BB447167246FDF0FE6C62816E681,SHA256=A312027C76B09BC0E667AA7B99B7ADDA7DEAE285CD0820EE0262A237AA4B7FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:02.583{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64416-false10.0.1.12-8000- 23542300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:06.770{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3B2237F5B4240FB12F2256B68A06AE,SHA256=21E86FACB2E78CFCC8476F7B47C612707C94542B3CBA0761117450D5D4818EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:04.837{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51554-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:03.697{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51553-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:05.999{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03068B794E8322C2CDE2F860A5B9CC7,SHA256=420163C7CE3A86B6276D826F92011590BBF4B6CAF37EC66D6721C9AB79E0A9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:07.787{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31399684DDFEE4A3E55DDDD412D687AC,SHA256=CC2973A4E42F4A235E35F8D2923F3100E2F67556F60C3DEAEE01B9840207E3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:07.030{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61390EC646DF5B4E2785B935B4EEC6F,SHA256=728C6031DF499DD72674B14A0705B81208A38D63CCFE6751641C79F9319D0BD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.972{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.787{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DE71FCD05893B50D4D068CEC6699B,SHA256=42370CAE2030AE2C24C8A2D9AD6F677FF711B944C84AF3F06D1E3F2E63CC8C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:08.046{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361A49F239BF6177202BC588EF7DC6A9,SHA256=40EDD74C18211D09AB4C0FA40993A9FA00BFB712381D2CBDB2B95CBA17DE6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:09.918{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DB088923AB11C86AC954465C78CC5A,SHA256=E718B1299DD5366BA8AC7A62B0AE864A5353B95474D70C193A43AEA78365513B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:09.046{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D911DAF7C1855F55F0979EA4B051A6F1,SHA256=65D0544ECE1D3AAC151702E5C30B925674D5D6AA7FCC5F11DEE4B5E752B76280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:10.920{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533892021413151072B5BB03222AC906,SHA256=A960DE410CFC43987B4F91B9A7A4650ACE7A9E3FEF16CD58E7D4B7588CF0E84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:10.062{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D72A096E3716448043B16E2F09281CD,SHA256=6D5606675A1E8327543C050786B8FC01D17207CD67AC05A9E5666DC85F09E602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:10.620{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259280C12F4C303EDDCA80B30578E3A0,SHA256=78CAAB5BE8532FF59D216AEA709186FEDD0B80F6E358557827B3D33EB1F24F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:10.620{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14AAD8DB8BD597F5AB97B4852CA9E7A2,SHA256=7FA785BD64620E28F3823E3F85939DF1798F2DDFBB4B02F5A3DA27AD40A56A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64418-false10.0.1.12-8000- 354300x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.428{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64417-false199.232.137.140-443https 354300x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.427{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local55054- 354300x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.427{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60816- 354300x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:08.424{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local52800- 23542300x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.935{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C587160B64A18EDA5C56C51FBD3E9A,SHA256=FBA4360A8D5C0814DB878447DCEA40D768DD93DF6702B93A1DC93F0CB5E45E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:11.109{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECC142C16DB3814B8C96FB7FCE9F25D,SHA256=E5A8307C9912A6FE3060E763D050F90E6DE134A3BB5A031715FE4E045F4C208E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.058{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=346F8F948F4C82CFD008B215C6C6A42D,SHA256=3C0D537FA989F5651F6545FDB2BBE9EA2E6EF36D4DDCFE9A7254AB5C43D824E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.058{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=05E73F6701351B97F258333C9565A4A2,SHA256=9FC0749D42060541481368242A7B334047E44F9A97C5BC2B297215166EDBB9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.058{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=619027B35F2160388A6D76191E02425B,SHA256=490616728303F0CCCD1BEB7FCCB56A46761038AC6D4A959A838A42C8DCDBCD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.058{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=26367D1EC10DFE279652E70EEFE6C7D6,SHA256=CBE8FB0A55F9605BC142A9F521D82EC40E404F3C724BA398235557753B90B74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.057{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F8C16DFF1EBDFA00A112074F999CDC66,SHA256=2F6BB27844C4EBB2DED56F367C3F01E8786B93CE360B56336162732D762728FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.056{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=FDCDDC2C0CC9DF200377AF2C00FEFCED,SHA256=BEC35019AB9D0DCAA1C5F4466A6BD363919F4440D2BEE2A6927159C026B3CCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:11.053{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=D2E467B6387BAA314CDA983339BECA6F,SHA256=45236AC51E667CBA4921807436FE45ECC0CF1CA0AE2C03B3B0FF08537AA92431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:12.953{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2AB3956BC27CDE776F7E552960FED,SHA256=F94EFF225FA5B76E0A295655356090485253F6C1FE44040B346812D98F8DF523,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:09.884{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51555-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:12.109{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C8FF6A0CECEB220761A8B3D5A2E91,SHA256=DA95B63AEF6A717788E2301218DF2AA5755AABC111CBE580664F95A8D9A90661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:12.588{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=ED87929581600A57E69EC3FFA9B948E2,SHA256=E11626A69EA2704A56C78D0879605A607AE1CFAE81455EFC676CAA4775E61F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:13.971{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F74CBE682C442FA33A6EE422EAA4FE,SHA256=6863D7F26148D87585426E2FD50F5DDC8AB6767DBCC3CDDF614D5800C673AA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A21-6112-B106-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A21-6112-B106-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.640{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A21-6112-B106-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.641{82855F7C-5A21-6112-B106-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:13.140{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85C7BFA6729664D1408B4E27DF1DA2A,SHA256=CB8C4F66702490C6DAC95FB1594971A3BFD03C8F91FFBE5E6BA31D9B9C9E5C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:14.972{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA346853F87016256E5CC036EF5FD95F,SHA256=E35D0EC427DE2A5D668D86223160F4118AB956A5C04C7D1F4D05E25C3B860B23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.827{82855F7C-5A22-6112-B306-00000000E601}33883576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.812{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=50EFB0E74863A5F13991D0ADA5F12027,SHA256=3F0CD7D7EBE772686860A9D871BA4473F63862964F1D6BEF29E91A5858A668B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.687{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0A9CA279599CA6965B026D51F9710B9,SHA256=6162E1DFD2AC9FB9F91E3D9C276994B707A49DADF42D5738A0546979597CF9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.687{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACFC6A671DF8145D0867B119FF0C44F3,SHA256=E0702D4F0182EB50D8AAD87F4408C6C7E6EB5AC736FDD4745044826C1A32D6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A22-6112-B306-00000000E601}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A22-6112-B306-00000000E601}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.640{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A22-6112-B306-00000000E601}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.641{82855F7C-5A22-6112-B306-00000000E601}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A3ED5DA9B76E660DAF611855AE41CE,SHA256=5DC446D9DFD9053B4DFBD1D4D17A1C6B7534FDA68079DB953DB9A8E73B55DD6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A22-6112-B206-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A22-6112-B206-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.140{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A22-6112-B206-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.141{82855F7C-5A22-6112-B206-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:15.987{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8573D3ABF439E883C6ED29D0E507CFC,SHA256=F2832044E66D60C3B1E81F279B88AD9660C807D5304F40EDD640718308CCAE8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A23-6112-B406-00000000E601}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5A23-6112-B406-00000000E601}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.843{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A23-6112-B406-00000000E601}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.844{82855F7C-5A23-6112-B406-00000000E601}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:15.562{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF47D3CCC30950434B7D788A153D400,SHA256=53D5FFE75E79DBAE3346CE87151150485A043857905804635224C4FB8C61D4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:16.988{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F903BDD20E117CAC111A795AC5ECABD,SHA256=2C2F86040F96C7AC1AA123D239CA61002EC936DCD8103C18A5DDA1EDF362A38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A24-6112-B606-00000000E601}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A24-6112-B606-00000000E601}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A24-6112-B606-00000000E601}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.987{82855F7C-5A24-6112-B606-00000000E601}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0A9CA279599CA6965B026D51F9710B9,SHA256=6162E1DFD2AC9FB9F91E3D9C276994B707A49DADF42D5738A0546979597CF9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.984{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2E631AA441EFBABDCFEC1D0FA7F8B8,SHA256=B17E07627C1A0005B64467CEA740BE581761A1653B3506F36501E5F478A17A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:14.570{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64419-false10.0.1.12-8000- 10341000x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.546{82855F7C-5A24-6112-B506-00000000E601}15721168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A24-6112-B506-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5A24-6112-B506-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.343{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A24-6112-B506-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.344{82855F7C-5A24-6112-B506-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:14.931{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51556-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:16.078{82855F7C-5A23-6112-B406-00000000E601}15642376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.796{82855F7C-5A25-6112-B706-00000000E601}10441328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A25-6112-B706-00000000E601}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A25-6112-B706-00000000E601}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.655{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A25-6112-B706-00000000E601}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.656{82855F7C-5A25-6112-B706-00000000E601}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.062{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.062{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:17.062{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:18.603{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:18.556{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:18.556{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:51:18.553{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.60.70121199C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:51:18.553{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.60.70121199C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:18.003{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3528F7619813E87A1D814594874D0D4,SHA256=F3C382E3FF61E1569A9CA17D27C9BD8D3C41B94EDA0511BEDA4BEDE5D3D6330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:18.265{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E29F301E839A403A13E92FD100EA47,SHA256=F4B54C1DF71F2EC76C143A7ABAE2A5E9790FD9F1D98CC39C623C11BFF582000B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:18.030{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA8BC06C5AEF8FFA2587FB9E807F06B,SHA256=BECB0D405CD79215721096E1D2A107A6B7447216676DCC911DEEC8ED8E0C58D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:19.280{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36239CA7BAB136FD2E78ED081778AEAA,SHA256=765773835A911A6CF79E2F8200F1E032644625CEB71A3FB1FD6CD95729FFBD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:19.018{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6413D76EFD630FF3C44B332ABD76FABD,SHA256=B857261B1DDC3AA6130750B7FB697F45EBD0BE21A76B3BFC5011E978D5162E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:20.296{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8FECFA871389512D0A4F98379A00F6,SHA256=72F62F70EA005B19E90FAF878E1FE68195318B16A9AFEE141349B55576FBE760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.034{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F6D47BAA94126639E538A1BC6B6761,SHA256=92033ABCE91743A50E58D1D61E19D343EE7C8B6372F4B650990A298A905310B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:21.343{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DF84A36BD9EDE4EDCD15046A4E77DA,SHA256=1E183D72C50AE5259F2B0F307F6E2E432EFA9C3280401D4D818323FA987FF4B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:21.333{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:21.333{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:21.333{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-3491-6112-0A00-00000000E501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:21.051{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0FA9502BDC85D573EC13FC52F689C4,SHA256=7F6952516628A0740E442C6EA065E6C1E52190B5E83EC01C1AC7A1B91BF37EAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.779{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51776- 354300x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.779{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local56728- 354300x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.778{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60968- 354300x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.521{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64420-false10.0.1.12-8000- 23542300x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:22.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1B1A4BD6F832720625BCD79C2FB75E3,SHA256=EC64719EA5ED10DBD964C0D8972A0822A91C2F7ED8C8BAF49FDD97EAC2B153C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:22.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6C19FB6AD68C3170E26792ACDA700079,SHA256=DA01D5F0E4696C8A40F8D6D0D5C2E17D6A6EB744941B645C3B5C805682353998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:22.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210E2DC3F74CD6D30BA0CEC1B052D5FC,SHA256=062DEB82972CAE44FA40D3B90E1E6EF073605BF804CDF4AEAEFEEF0D50FC5D91,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008b5cb2) 13241300x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x467ebd88) 13241300x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0xa8432588) 13241300x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0x0a078d88) 13241300x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008b5cb2) 13241300x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0x467ebd88) 13241300x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd5-0xa8432588) 13241300x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:51:22.734{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0x0a078d88) 23542300x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:22.405{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAFEE910624F4CE83DE2866BB83AF4,SHA256=5CBDA0F6D1A9D651DAEFBF29F80A7CD369900CE805C5DFE781794E113165DF8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:20.900{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51557-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:23.421{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E363AC60F2FBD186EDDE4E51499D2C,SHA256=AC50485582E543667A6A644C01B9CD4AE152E8FAACE483B54516C2CECCFAFE69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:20.783{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-15.attackrange.local64421-false205.185.216.10map2.hwcdn.net80http 23542300x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:23.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F85785D5AFF0543720345C2751E6767,SHA256=ECCA6F2C7042E9330768A147499D86777FE48570A60105C6D9BF216B8AD0333A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:24.499{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6DB7FBB128CB60554540F345E99D2,SHA256=7FFE1C6C1F34921FEBD6A0C193283DF2B37658C3B4DC434696A2CDC6F828EA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:24.102{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7F2AA1CEB6CBAC28A277595734122F,SHA256=E977F7D418B3BB4A5A8C4B3AEE6ECFA3CC877C35F1031F9E7D1F3A2663D21501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:25.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49908A3030098CB85DBF6C0D26D42A60,SHA256=51616FD6B09030FB2FA47D6D75C1528122CFC43511FCB8385085FA829A5599BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:22.938{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57597- 23542300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:25.116{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6206B4C7938942C9F39E77ABAC69FE33,SHA256=08CFFB699899723AEF6885C1A6D7D63DF1272375094533B144DFEE7ED2DEFCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:26.562{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D3BDE06642BAF6F9CBDADC397D8B95,SHA256=1E4B0C341D44CA4052E70D535EF78810B1C12B9E646D9B2F661884000B8CB33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.131{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC23EEBF315B212CEE360ED61ABD4344,SHA256=EBAA97F654DFAA75E4912ED73A9CD26BA063D247B4A164C2998177E14A36BD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0AB6088AB83392A097F7B23D4A970495,SHA256=D9D13AE2EA8864668601881865DF007F33FD8616BE531631E03CBDCA6F0C6BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=97044523E7DB86DDA0AFE4EF8D237538,SHA256=8BF202DEF727525C0B8CCF26D479A0D150E885D9A08BF166E48F4325CEC71FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=36DC16E46C0DC6E49C4C3F5D9AEDD264,SHA256=DFD8689DCAFE3A69D354BCF44F9CBFFD1F4D50D7B7A73D250345A8E2F31D7582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=E5641146799DC3F17FB6ECFD84886CDF,SHA256=E0CFAD7126ACD34CEE84B845FF0645C15D8B5243EBB1A47948769A84B66F6B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=275BED8CDA4BE514FE8E7B22B1A53C04,SHA256=F4EF7C83F86595264B5999EEA13CCF3E6757C8C2F1ECB9F4004AE27D245DF2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=E3F9930568AA01C211B101E3B4142D50,SHA256=C9BBEAB74088C410EDA014EFB331088548B2B0E048269B997F73890C9232FC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.116{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=46B286111D4AE37960A8819E1AD1A457,SHA256=A4427698DE03C0EEA8A487D0B059FB06AE18D2CD366DCB3E5F180B3397B245A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:25.931{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51558-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:27.593{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B4146122775B7AA89646E80191D631,SHA256=09206C80B2B4492C014BAEEE474472193DE77B1E1D2C7E207577DF49B28CEB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:27.168{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE85C11C687967FED18F2A934ED2D38,SHA256=AABDAC2CBF14957318A347B7EF07A549841E8EB593AD875A3C30E150ECDA3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:28.640{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BAB783C32333DF61757F430D8D6481,SHA256=AD46A8B4C016AC2CD5B1E6F44699B3CD0E131B010726505162EE7A0B4D289749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:26.483{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64422-false10.0.1.12-8000- 23542300x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:28.198{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE72DA93370AEFD8D55572BEFCD61BA,SHA256=3E6357F09627FB53DBCE1D26A937E13768EC23231342375F5E75BBE8A43AE2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:29.679{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F2B068111F112FC55A490365B33628,SHA256=235D3DAA156D7FF6BEB2748EAA9FAEFBEBEF5AC86EEDBA6694FD3E67F74EDE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:29.213{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAE48B99D1874295B1157D74CDC5202,SHA256=28DF67B782FA4810EAF045D1001582E5152E101040B0D5C74CB24B52BC7A0686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:30.679{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6DD028F6D7F55AC338F650A482F571,SHA256=4198EAC536A87D57ED53722F9B2D634054839154322A30FC131DE7D1DF2ECB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:30.628{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:30.228{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C043755F61C696462012D7CFCF54C100,SHA256=35BAF5C0C6F6C026FEA25A21DAE1841EDCD27D9E984F5EC15C5B6B17BBC98DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:31.742{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F425B61DAB619743F5E1FDFB626825,SHA256=9EBDE672A3F3E7BA3EC3FDF378E4E60820E0B1550D792DDBB98AD821909A7B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:31.246{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC1420C0FD28DCBC9BA3CF2FAE9C65,SHA256=C8063658B4C92FA41E3BCF5D74276782306F2AA14AB172F5370119E5DC1FA0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:32.773{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11449BF72973E6FD5D6C8DEC9EFCD57B,SHA256=8F599824E272F2844F1CACC443EB4C511B7231144864A767E44467D1138E0DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:32.980{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A64E1B5A267520B30CB41A5AD097F5F,SHA256=57803B49FF00E1F7168224CA4AB25FE0A0B553F5A0664FC29E0D7C9144F90D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:32.980{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259280C12F4C303EDDCA80B30578E3A0,SHA256=78CAAB5BE8532FF59D216AEA709186FEDD0B80F6E358557827B3D33EB1F24F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:32.265{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260181B2D9570E33264F75B08A9D570D,SHA256=F7398982DB846CEBABD20608F15821CACA77DB3D35CA4DB65AD955AFC72DC53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:33.820{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BF5DF5CBF254FF5DA7B88E5836A923,SHA256=C1D3D74D9876BD2525517A6751AFCB05A346B52B774A7E3B61A263AA1835D3D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:31.563{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64424-false10.0.1.12-8000- 354300x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:31.401{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64423-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:31.401{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64423-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:33.595{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:33.280{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7611C123260FE0CEA95B3BE35A1CB3A,SHA256=C626E8107308CF803DE03C51A02C782565AB4E316C729FC89A10FA591E25FCD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:31.876{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51559-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:34.913{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5475C32AED71E6E05E9B020B55EDF111,SHA256=E9B8FA9FF69CEAE36A6C4830249E2C37FB21030ABE44F8F151F315B8C9B69BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:34.295{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE8C7CEF12D86C6DD08566CD19AC8EC,SHA256=022DF1EF66C1450767972C95E9BAAB94993E1701323F6421314697B77C8885F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:35.945{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89D287349596700B9C2879EC699EDD8,SHA256=30F0AC0FF467C40354AA7419412268EF5A9F80F3EAA4CAA06CFB2185D8EBDFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:35.343{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD647AB7FE053F0D42CA0AED1CA74E,SHA256=F7A7DEB2984CBC7008EBBC370B21C5701C3D4DCAF10A5F9CD485F9D5D1CA9457,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:33.015{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64425-false10.0.1.12-8089- 23542300x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:36.945{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2170EA853BFF8768A50E7D79E9EFA664,SHA256=1AF09FC830DBF3E9D5359D2B2A5861BB96F1F28AD6493C592AE91EC209CD1157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:36.365{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EB187FBF5B4D883EFB0B4A94CA706A,SHA256=D2E17CDBD1F6343372C44323D06F88A8B79B292AD363CE84C43977A69416ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:37.976{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DB76AEEC8813DE5921F8CE6935BB9F,SHA256=27A37A7247BD5792713F74F213B3A9A5ACBB83C61EA853304EBFF7518B902162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:37.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03D446EEA88516A4015825C9F5CB0A8,SHA256=A79A6EDA5262F14E2DB09F3E574CEEB12E4270D49D5CF3406A6350B020B77F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:38.395{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96125A5707B8051532E9E13A86BB501E,SHA256=AD278C63584DF8EEA3E07E131E91DFC690DF22D5BE344218482CEE7C66A53B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:37.515{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64426-false10.0.1.12-8000- 23542300x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:39.397{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EB547D9F94616C10DBB6C91D63DF21,SHA256=0AACC73CAEE192E43CD8D1E546FFE8296BA79827E57F4F45CA4B6FB9428037FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:37.876{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51560-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:39.007{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5435406A237DDD0ED3357A03B10F612E,SHA256=E58A91E28299788E9577B2BF3A79119008BC531BCAD5A87AC118DABF5E22CFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:40.427{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D453BDA86004220DBD046288B274398B,SHA256=9591161EF7EA4E0A8D78DEB510CE5C36C2FB99E9D31DC342DB46CE26E2E84757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:40.023{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFA6A6304538730E9C442A1CFE77FF1,SHA256=E280AFDB2CF755D9AC0324D0F229142096066EE28004C860932ACD0F56A98F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:41.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BD83DBF4707D96BE38D35C0BE2FDC4,SHA256=F20CCBF6B1C603B79AF8CFA4452F44B0CCF3D8A30E5B5519E6A31ABE0C02841E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:41.038{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16398F8E7A420826A2A0089A0F7F3AB2,SHA256=BB3FDBD66D6CBD06EDB7067A297A47044A09DE9B68701CC93CB921EBDF76EECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:42.480{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D50D971FBE016BD8028610D1B0FD0D8,SHA256=FF53089867DA8DCD0F76B55C0268B4140D26395FD7C1B1D1B0E81ADEAA87CDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:42.054{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8E5D244FBA4DEFDD6811C36DA19FC1,SHA256=AE40EE62A08CC8B9AE02982F69B37232AA5E0F90B88D5489E67E30CA4CF9BB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:43.495{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095C6B5BBBB39D172904FAEC511E41A1,SHA256=843A734DEDB7666C6AEAEDCA944A7A28FF8D502D76497D5E572EDF0CDCD64D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:43.070{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D948D03D7C50A1AD2B797EED58CAF115,SHA256=EB95BB72A88BAB65B4F9E7BE81A44E827B30825B757302751DA4C2DDB2A26EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:44.510{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A139718E28DE4AB2DEAB12784D40B1,SHA256=9B73F635BD348BFDA068559B3C4782774BD32B11C6874FFACF870B0AEA543665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:44.085{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15B9C1C4DD6552F2822B4C2C22DABF8,SHA256=6DA6828DC6C7434598F9C54CF4E2DEB434CAE32985DF09DCD586D4287BC55A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:45.543{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB73EC5354628AF8C9E695D772E090,SHA256=73E3FE648D8E1F3DB6AC49C6A6B02ADB302DDA11806D023F88B0CB38AE863967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:45.101{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F1B786F5C5CCD04EA9C48377F5E484,SHA256=8C8E8F934F3AB1CBE1843A5B67C78B5B7A8F09406B10C40F89B855C57BAD48C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:42.680{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64427-false10.0.1.12-8000- 23542300x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:46.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC5A78EE6FC2C48895A4B09C0E3BC7C,SHA256=194E631EAFC053776B35B1978782859D1CCE59A08BE9ECBA42E37D0C18F7A9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:46.132{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39F60C0E3D76A04269FDB1BE1D07D95,SHA256=E681D763DA95955C8CAFD6B61B00F612F90F7CE50B75CFBA982BFEE7F8920A93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:43.845{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51561-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:47.641{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814028755A4CA2A041EAF0EA304D55A7,SHA256=D55584CFB00C6236CC2529A5303F7F2F9F0565BF4750D3968DE75102A07834A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:47.133{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B132F3E2E6F3C540AB1EC9C58DAE50,SHA256=8929F0AEE5EC4AD6DC986FAC233CBD43C2C6ABCB50735593F6C74411163F3298,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:51:48.876{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:51:48.876{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:51:48.876{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.661{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE332DB4C94BB257A85D23708F647FFB,SHA256=09A0EC6EEA873075B9EECB60FA310F9548F758FDDE066950B802277CC213473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:48.162{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D362379DF64A5F5ACC994B63C7F7B8,SHA256=F76F052C75866BB915FABD132EB8BE518A62F00CE8175920578109704B4B3242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.945{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.908{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.908{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.908{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.892{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 23542300x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB40CB03EAEDF91851F1DFE00184583,SHA256=6FA2BD0D5DC38AF42DB8E717D020244BAFD5239B2551F8FA23A8D3F265B2527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A64E1B5A267520B30CB41A5AD097F5F,SHA256=57803B49FF00E1F7168224CA4AB25FE0A0B553F5A0664FC29E0D7C9144F90D03,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:51:49.892{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.61.172457279C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:51:49.892{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.61.172457279C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.842{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.840{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.823{82A15F94-371C-6112-5301-00000000E501}760ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.823{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.823{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:49.676{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1289D3A8B0D260F54AD791DA75388A8,SHA256=2F31C7C7E56B8FBEB21BDD9CC0019DD82AD8BDF6BE6E15A5B364D232BA7D16BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:49.162{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EF3782B35F92551BA7A4B28A9B6AF3,SHA256=B733F097BD352EAFA78A7649C52367C2C61EA058DBB7C8C8134E2F48D117BE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.892{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.892{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.877{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.877{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.877{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0476301BACB8BB6E4862953B961740FB,SHA256=6CDBDAACA380482ACBD8C13768F64EDB4DE29789251E7BE19B1264C930C3BA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:50.194{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6085D089C5980B26A0DC101A0CAA721,SHA256=C335BD196A92803F77D081C82A49E88397BC50DF004D771F1733A3D7C41F2EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.574{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64431-false10.0.1.12-8000- 354300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.332{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64430-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.332{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64430-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.326{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64429-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.326{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64429-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.313{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64428-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:48.313{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64428-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 10341000x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.023{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.023{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:50.023{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:51.762{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2E7FA068FEECB43B9EB1AFCF3B4AB4,SHA256=E812FC9A77AC73465EBBF1905A7350CCFF1707A7234B15D34ACC27BF2F904B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:49.015{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51562-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:51.225{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB49F783D57AF764025AF9438022FEAD,SHA256=D66292BB31D8A7122EC4F8F7D5019CD4AFAC86A8E1415FDCDBE5969E9EF93E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.763{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4FB43EA578CA4C32DB33AF72C5D845,SHA256=F98433DED525FC2DB053C1759BDDE1D5D676752D6F2BC27E32EA182FC02BBB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:52.272{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00E563A8402F9E4C4DDDE1476B685F4,SHA256=EE5942E96E6D1C7DA2950B7ACC375CD99DA0774CC223A806AFEFC2B4920FFA21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.694{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.678{82A15F94-371C-6112-5301-00000000E501}760ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.594{82A15F94-371C-6112-5301-00000000E501}760ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:51:52.443{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.763{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFD732C5F401A5C6BCC6FB39D90605D,SHA256=EF5B0882C5EEAA55093F52172BFFBCE94176C566FB63AD01D0FD022BC239184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:53.287{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B13781F1D169208B8DCB73C1B8F4B1,SHA256=3E5051B97238293190C4427FFFD34BBA589E7928DBDFE0FC26D79F669B957A5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.263{82A15F94-3491-6112-0B00-00000000E501}6326204C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.163{82A15F94-3494-6112-1600-00000000E501}12886216C:\Windows\system32\svchost.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.163{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.163{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.147{82A15F94-3719-6112-4101-00000000E501}51046344C:\Windows\system32\csrss.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.125{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:53.125{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5A49-6112-4108-00000000E501}4872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:54.765{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9846FF37EE4FD04C4F3AD94FDB911E94,SHA256=82CE2F83CE80E7B4740DC2FB7E6EDC51195E432A82BFD522257F86A3FE1DB494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:54.303{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1E8D8CCBFBF25286C79994290496A8,SHA256=C4CA0A159058A7BB426533E6000048C8B092BC9A99CEECC8080EFBD87040F4F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.702{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64434-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.702{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64434-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.608{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64433-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.608{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64433-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.601{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64432-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:52.601{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64432-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:54.194{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB40CB03EAEDF91851F1DFE00184583,SHA256=6FA2BD0D5DC38AF42DB8E717D020244BAFD5239B2551F8FA23A8D3F265B2527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.797{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFBA8871DB0AAB55C90BCFD9D7C38ED,SHA256=A07909645D9109881C1BEE17B3555F497BA1D82F88037AACF5BBB0599E293419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:55.319{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE19DD9068694DA97645B0BF98FC4CF,SHA256=8F55A94A373E9AEE1154A6415B03B6CD91CD13F902B4D03AB40F1AB0E5D4228E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4B-6112-4208-00000000E501}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A4B-6112-4208-00000000E501}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.328{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4B-6112-4208-00000000E501}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:55.214{82A15F94-5A4B-6112-4208-00000000E501}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.798{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C244B7156CD0313685047E1C93D69ACC,SHA256=61DB98A5FB71BA7BEC97EA31BC366CAA3D2AE6EF96EED1410C78E1FA64DBE002,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:55.031{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51563-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:56.334{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC035F21D00094A3264F29EC3F4FF2F5,SHA256=8206B2DF1729BDBBE72DC13431398CE865C54FC89E9C69D7A039B1413615EF61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.482{82A15F94-5A4C-6112-4308-00000000E501}66766744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4C-6112-4308-00000000E501}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A4C-6112-4308-00000000E501}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4C-6112-4308-00000000E501}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.114{82A15F94-5A4C-6112-4308-00000000E501}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:56.228{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C7D77C8805786F9A36ABEB924BBFD6C,SHA256=6D4802D7B899374B2EB45BCB05ADB66E4EFFD17264CF0A837E58BC59720D603D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4D-6112-4508-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A4D-6112-4508-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.930{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4D-6112-4508-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.815{82A15F94-5A4D-6112-4508-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.798{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE1B8196F5DDC3F437381AD95C32C6,SHA256=9BDE904756013D764DA77FBFF3E088FA042B4C07A4E7E7A5E0073C5DCE750517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:57.365{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41787B6BA17572459A274B4D94D90690,SHA256=F0F6DA92E529B963D0C0118CADD3C63546B801D2F91D804A29AAC8EA1260B06E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:54.579{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64435-false10.0.1.12-8000- 10341000x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.147{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4D-6112-4408-00000000E501}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.145{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.145{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.145{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.145{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.129{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A4D-6112-4408-00000000E501}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.129{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4D-6112-4408-00000000E501}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:57.014{82A15F94-5A4D-6112-4408-00000000E501}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.799{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC485590746564891FBA87FFEA623121,SHA256=B5B75C6813CECFF252FA45130A4B1D4254D2E6E45C347E679BF6399909192C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:58.412{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB508494DD2136E13F3808B173745850,SHA256=0B08F46CC601E3FF859FE8EC520B25EB6906E6802581A80CF80CF36A86236BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.767{82A15F94-5A4E-6112-4608-00000000E501}66845376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4E-6112-4608-00000000E501}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A4E-6112-4608-00000000E501}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.614{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4E-6112-4608-00000000E501}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.615{82A15F94-5A4E-6112-4608-00000000E501}6684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.114{82A15F94-5A4D-6112-4508-00000000E501}69766220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:58.029{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=856DE3171BA3EBD52A405B28D207FC10,SHA256=0F660BBBB610AC98BD2AF7A15423468C7CE84F99A4F550D2786B9381BB366049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.800{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED021EF0F376F025DD0D0C4C134D3460,SHA256=53787700E35196D02A1B4FD38766694E8755C745377983321FA447804CC4E085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:51:59.428{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D6178CE8F8F6243F16A80B4574C0CF,SHA256=40941E2082B4FB299A2CCCF9324F49D71F15B368965F0383B7A270138D55CCAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.631{82A15F94-5A4F-6112-4708-00000000E501}66606964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.616{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC05DA2BC6F50CA71CB1E64A2B33DEC0,SHA256=F60275585A090E75A2284AE493A4EFF0FE6BB5731BB0E71681DF58CF5DDCDADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.432{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A4F-6112-4708-00000000E501}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.432{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.432{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.432{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.416{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.416{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A4F-6112-4708-00000000E501}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.416{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A4F-6112-4708-00000000E501}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:51:59.270{82A15F94-5A4F-6112-4708-00000000E501}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.831{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9BA015EB458C42939317B370A19D8A,SHA256=09CEBE93F088EAD3563DDA81D00678D014235E7649CF86EAC697DE30C5AD86A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:00.444{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2F95F67536929EA0BBF86B62B7338E,SHA256=B8AA35147C8F6D77F181FEC20265FA721C5CA51B3D42E336C3898A7192A0EA70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.319{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A50-6112-4808-00000000E501}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.317{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.316{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.316{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.316{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.316{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A50-6112-4808-00000000E501}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.315{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A50-6112-4808-00000000E501}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.148{82A15F94-5A50-6112-4808-00000000E501}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:01.963{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:01.848{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7F219F8F855624C05AF9DBDB128108,SHA256=B5AED2D479FE998E726A18D06EEA8101BAED86B42A6D1CC67207C334B70187F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:01.459{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D689F12D2A737A07D056CBFB5B4C841B,SHA256=4F4ED8FDC3F17B6D89DC77D231C287F14287F4F871B670A5610DC435EB217FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:01.164{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02728B736BA9CB63C39FC452FB008112,SHA256=144DD9B21B64A500BBCDC7AFB7B05EE0831EDE40641C0E76BCC9C265412FA691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:02.863{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5304401A211DFF972BC1B97CE9A8FEB,SHA256=F349D16EB3F550A60876BE38487041EF6F7B47762A75EBFF2C29B6BCD38B32FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:00.953{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51564-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:02.475{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3976996BD5F7871A28974DF4180A4B,SHA256=64405504019B159B69EDAD1C8BD19CE6F3AFDB92B77C3651D933B8BE38B38011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:02.126{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D4A22DC83F913EF507BC1FD06736120,SHA256=474FEAEF870177DF35A4CE2A9FF49EA0CC460CEC46C202633BC4AD65D7AA7B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.878{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80EEFD8D479976BFB2105F20922593,SHA256=4960CC8147EC45C4FF468751E0FE568CAFA0E1BE7FFEE98F8E00C6881532EEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:03.959{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:03.522{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B882F4EB46DEFE1D0C23E0D2AF4F1,SHA256=6B1009382F446F22BF344123411C8A1457089DC5C9647EB7ACC4E9EB526E4845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.478{82A15F94-3494-6112-1600-00000000E501}12886216C:\Windows\system32\svchost.exe{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.478{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.462{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.447{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:03.459{82A15F94-5A53-6112-4908-00000000E501}2148C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{82A15F94-3493-6112-0C00-00000000E501}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:00.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64436-false10.0.1.12-8000- 23542300x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:04.893{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2353EF7E1D05833C28734E6EB26924A9,SHA256=DCF820B8CFABDA8F99ECBCB80336BEC3BAE66BF03E0D074CC622787A4325E17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:04.569{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51E0BDC32FB0073062C03AD92EAAEEF,SHA256=294CC26FC0303A08E13C7188B0E2EFA70FBBA8FBE10C92BC04CFBCC8216C6A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:04.462{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283CD78C73993FCD5C14A3B697E67146,SHA256=65FEF86C353C87C3F0308F384650E6B811B4FD24B12AF20DAF86B4815D676BA7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:04.231{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:05.895{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17F8D7703413D6318A0EA6AEB381F80,SHA256=FAB46DC1C49B1F4E8A080C5E7C6ADF0D95D195E15364EDC89C8AE1EAA541763E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:03.719{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51565-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:05.615{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90F1C2483A5497CB388FF243CCE626,SHA256=E275E1ABE2CC0D8BB7C2F0CDA8411E4ED3F5A3B86B0FA52D477429E0767371BC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:05.280{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{939D20AC-8036-406F-BD5C-BF672896BD71} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:06.910{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19337BAECBD1CD9E9C668A65B1E393E2,SHA256=26135BD0FFE0085098D87CF063B5F52C916907823AED83ED2CC1EC9048C6CB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:06.631{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205D03ECAC001DE801622FB9AD70A92A,SHA256=6789582D31EDE1112821685E43C03C8C8BA6A34E447074E4919E9E9AB6F55B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:07.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E75C4B7A279ABDA3B9EC223EB8A5F9C,SHA256=4EC2B89B2C7E4370B8ED529B25F7FAB0FFA2AC002A8A4D5729A1A0CE564FB216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:07.647{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DF33DF945D3B1C33E3BE106C57C70D,SHA256=39BC179A44A7AA0CA13F3F8A514E8F1123225FB503A48B62519B4DE1CD52B80F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:05.583{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64437-false10.0.1.12-8000- 23542300x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:08.935{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E146456C35C0FFAAF4285AFA606ACFAD,SHA256=C0C619AC17EA124CCFBA4102AD280E2E3E62060DD5E7064522A885CBBA7E5E36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:06.000{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:08.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E9D6F1157091896E404AFA8BFF1715,SHA256=E9C9B4C22CF3AC6F705D8453B276236E1A1CB2E36AB3B98B1A46FD07D3CF46CA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localT1158SetValue2021-08-10 10:52:08.448{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenDWORD (0x00000000) 13241300x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localT1158SetValue2021-08-10 10:52:08.448{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000001) 13241300x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localT1158SetValue2021-08-10 10:52:08.448{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000002) 23542300x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:09.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE798380F4EFB25FE7CC7967E0A7C2A,SHA256=E98077BF3E59B125D22F8D2005074151603A3915A35A438CAA328B930721D237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:09.951{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7587ABC854826E352669F8EF8E96FF91,SHA256=93086B0E6D66F5716625EB67A5DC85F3B80F96DD137759E98F3BDF41B124F0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:10.981{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADE889F9F61A6486E5D570CB74F2B78,SHA256=9E81021FBEE22E406CE7373C3571E702D6924DEE2181D3435350C676264396C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:10.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9288582B5B46087AA51FB7B429272061,SHA256=B24802B6652EBF87BB2B2EDACD47D80B3240B1EC71C51A9D703391368D06258F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:11.982{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B84089EC8E78AB819A97D811F6BDAE8,SHA256=44C9F2B11EA253BE728E7A8077F370EC07105C90F358C93988E544FAA6581CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:11.776{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0591F7E10C243D573E06D919A73FC3,SHA256=17603CDA404A1B3B37B8DBDF977D90F0F1394A43CB2EC846C8868B2A88BF078E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localT1158SetValue2021-08-10 10:52:11.234{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtDWORD (0x00000000) 13241300x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localT1158SetValue2021-08-10 10:52:11.234{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenDWORD (0x00000001) 23542300x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:12.838{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ADCFB8293A4D82470D12710C5C0431,SHA256=EA7DF985C8437FE14AF5BC9FF767A68ACF0E82E0D31A1135FE378E3BAAB6394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:12.994{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15F4C01C3DD10ABF44D7862B2CC24EC,SHA256=1CCF0144281F04032F016C31C6930E8A91C454844DE7C2EB3580C39E90CA348E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:10.600{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64438-false10.0.1.12-8000- 10341000x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:12.594{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:12.594{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:12.594{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF93af8e.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.854{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDBB2A9A2C6D6D0CCDBD6CABD0E7E80,SHA256=5755B6ABCB5D38F94DA72B2232BA3C1E708F2D499855FDD6574A59E2E27504A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A5D-6112-B806-00000000E601}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5A5D-6112-B806-00000000E601}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.651{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A5D-6112-B806-00000000E601}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:13.652{82855F7C-5A5D-6112-B806-00000000E601}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:13.263{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.932{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F69D14F75929A1E398BF59C8DD35CA,SHA256=B2FC3FF6EA92DABDE844F7C49498D7008B847D897A3BAE65F5AB8B6E542AA817,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:14.494{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-10 10:52:14.494 23542300x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:14.009{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058745D3B3F02AFBBAD12C4145BF2F0B,SHA256=C3D287D5FE491A621AA952F3F8CD145F07528A078059E371F603556607CFC2C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:11.972{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.823{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D2B2F5656F346D86A60523F36385C51E,SHA256=3B1B9BFF81823F3B90FD92A025F02BA92445E54677CC0B5FD38F154F61E996F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A5E-6112-BA06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5A5E-6112-BA06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.791{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A5E-6112-BA06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.792{82855F7C-5A5E-6112-BA06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.651{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AABD2806BF6A569228A5D0F2036CAC7,SHA256=0891B90E1DA00F1B789A774AD50D52CCCD5758EC808818101EFFFA69C4787BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.651{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=691559A479BAA1FCD0EC909333EA77C7,SHA256=3954B046EBC9B955C3D270B0765D1011714E8B6C7B743ABB3CCA4A22159EE16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.354{82855F7C-5A5E-6112-B906-00000000E601}24883252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A5E-6112-B906-00000000E601}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A5E-6112-B906-00000000E601}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.166{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A5E-6112-B906-00000000E601}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:14.167{82855F7C-5A5E-6112-B906-00000000E601}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306D2A30B5BCF5DB92E4A1F64335C86A,SHA256=69A2654AF91263E0B0E6D250296AC246E06052B52C5C8974AFA9DC540B75CE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:15.018{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347ACD0AF777AAB5F6FBDEEF4A9215F2,SHA256=8DB73E3451B708E456254803BC005EEC6C787BF455E006A3882A2052C26E6A79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A5F-6112-BB06-00000000E601}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A5F-6112-BB06-00000000E601}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A5F-6112-BB06-00000000E601}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.854{82855F7C-5A5F-6112-BB06-00000000E601}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:15.823{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AABD2806BF6A569228A5D0F2036CAC7,SHA256=0891B90E1DA00F1B789A774AD50D52CCCD5758EC808818101EFFFA69C4787BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.963{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612C4B3467E1035B6AFA961C907FDF2F,SHA256=8A2D0A7E1617FD1E300E13FF181530373AC22F44C2A4ACFE06EBF675269F7108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:16.035{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8C87A7EE399C452D622062B38A6AC4,SHA256=19F66F4256E4824F8D6EB8CC32B23E5F02E5A383115C0007793A79E8287445A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.885{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B156E9666B7B9CB49B074C48462C93,SHA256=CC0A21B2283DDC93EC440D7E881AC4BE85BD332A4F50F1514D6D1C3EBEABA0D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.494{82855F7C-5A60-6112-BC06-00000000E601}9041052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A60-6112-BC06-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5A60-6112-BC06-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.354{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A60-6112-BC06-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.355{82855F7C-5A60-6112-BC06-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.073{82855F7C-5A5F-6112-BB06-00000000E601}24843124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:17.047{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431AB710ED2D10880CCE0DFC9DB7F455,SHA256=16BD375951397C68B712F8900F15D5E8722E223A9D5860C77B897DD876013B5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A61-6112-BE06-00000000E601}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A61-6112-BE06-00000000E601}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A61-6112-BE06-00000000E601}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.698{82855F7C-5A61-6112-BE06-00000000E601}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.182{82855F7C-5A61-6112-BD06-00000000E601}9883316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A61-6112-BD06-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A61-6112-BD06-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A61-6112-BD06-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:17.026{82855F7C-5A61-6112-BD06-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:18.354{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6EAA5D09596944E7CB7499838EDD11,SHA256=3F45B6D916782F9D0A714F9476376D02A1AFB1451F6B4809CC9CDFF153AC90E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:18.354{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD988121B774F72AE720BC9D15AFF5CE,SHA256=BC107BB8241CBE74D95E38ED32F8CC57A403CA7042E16DADB579FDA36F1BD7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:16.498{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64439-false10.0.1.12-8000- 23542300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:18.062{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0B50A3B05AE7B98A7B03ACBDD0D47C,SHA256=5F25DC6C068B8D13FB2788F524E49E8F56D6E34595357738EE0A533666A599F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:19.369{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705536F388A706B8D4DE156EEFB43B05,SHA256=76F7A41FA9C093F14EF41A8143905B68E4ECF13871619A066173A23FA4A9864F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:19.077{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC3377381F097DB1EF19870C1914883,SHA256=87281788172827CD68B3BCFED20994F9B1FE96C766332CC732938F6049E912E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:16.972{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:20.401{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158B3D743D58EFF14BE59CF0E635AAD,SHA256=E3E0429AAD6ECEF1C64BF583BD3937FCF781C20D7B4646084CDBB005C8474132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:20.077{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06A46AEDA9E2BC27B575FE866ADCF6F,SHA256=029FA6C8F80F3638415C6D92E27DB68196A9F0BA95442B89864BD4A24CC35BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:21.416{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F556576935C6B70C2A38F18696A83DD,SHA256=6DFDAB8DE43EF648B7939BCB7ADE5FC04A93BE91643353F470F693A74DE4BB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:21.093{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A36D0E8F015A71D54B428943B99D2C1,SHA256=E18BAF5F0AEF7CC09F2BA7AD8A0DE88D15551FBE213DA65C66FAFE9B39AB0456,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:22.644{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:22.642{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:22.623{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:22.607{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:22.492{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXEHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:22.108{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AA7EA4D3EA9FC32B8813609D6010D3,SHA256=A74C102B738BF0C49C87A7DB2F0CB60B1639428D686EA6CB04440A5DD35E98A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:22.463{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3229B8FB4CF4C9663D6243001044C0CC,SHA256=08654E1D5B840EC9F5F9C0355B8D759611202D31694370E9B0FF089895F04CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:23.494{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162B95932A282DC28C9D467E8EE97D0F,SHA256=64E002C19FD80DF873B350CE3F002AD487B0075417D7744ED34DB7AA812B9E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:21.958{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57751- 23542300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:23.160{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BE0A0B54995AF0A1901828D5CAA76A,SHA256=4809197A919F9591BEB8A67AA5EB4ACFB12459A562401019FE737D4A3C4C3ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:24.526{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C941402C59331A14E0F198BA73A931,SHA256=640FE94A6682B5D7FC5F940E74E259E2178163380377847D20B5902A5E850302,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7605532C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7606764C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7606764C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7606764C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.959{82A15F94-371C-6112-5301-00000000E501}7606764C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:22.473{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64441-false10.0.1.12-8000- 354300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:21.962{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64440-false93.184.220.29-80http 10341000x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.805{82A15F94-3491-6112-0B00-00000000E501}632832C:\Windows\system32\lsass.exe{82A15F94-5A68-6112-4B08-00000000E501}5932C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.805{82A15F94-3491-6112-0B00-00000000E501}632832C:\Windows\system32\lsass.exe{82A15F94-5A68-6112-4B08-00000000E501}5932C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.674{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.574{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-3719-6112-4101-00000000E501}51046344C:\Windows\system32\csrss.exe{82A15F94-5A68-6112-4B08-00000000E501}5932C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.543{82A15F94-5A68-6112-4A08-00000000E501}11046156C:\Program Files\Notepad++\notepad++.exe{82A15F94-5A68-6112-4B08-00000000E501}5932C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Windows\System32\SHELL32.dll+13b14b|C:\Program Files\Notepad++\notepad++.exe+242419|C:\Program Files\Notepad++\notepad++.exe+29131a|C:\Program Files\Notepad++\notepad++.exe+2c2e56|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.539{82A15F94-5A68-6112-4B08-00000000E501}5932C:\Program Files\Notepad++\updater\GUP.exe5.2WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v8.12 -px64C:\Program Files\Notepad++\updater\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=59E483B76096D7D7607128D9A6FB50B6,SHA256=DB816C5B66F1751D7FAE150DDEEE3CD1996BA3E1BA53C6FC2024A9C576E2CA3A,IMPHASH=FC933F2041320B70EF128DD4E38ECA3F{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.bat" 10341000x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.521{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.521{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.521{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.506{82A15F94-3494-6112-1600-00000000E501}12886216C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.506{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.390{82A15F94-371C-6112-5301-00000000E501}7605432C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284623|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.321{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe8.12Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.bat"C:\Windows\system32\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=93721903DE25458896394AA3D89FC7D8,SHA256=F2B02663CCF5B98627DE1FCF8D3D35A015A1C5C65BF3AF49A1296EA7375C6068,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.174{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AA7522DD99E7D9D79D577457D01269,SHA256=D3FC539262A5B6EB8641B14C72E374BF9A2F8B2E573E05AFA034FA8FB22D9D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:21.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:25.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41494B173D0CAD649B89344F2B0F2074,SHA256=E5E75DB0B18326BDF01A7B8A3BADEC09B49AD031B13C43C0B322187B23D32AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:25.360{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E3E2C74318B670DE2E39C2CF8D3E41,SHA256=05979A40E73D239B950BB202D897B6C89B05D462ABDCB1D4D9FEDECCBD09480D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:25.360{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3493B699C772C863C65FD1A431E9D4,SHA256=3E38925B508F7ADB1DC6AABA7CF0D4141D65737AB72B14A9962F59E034C2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:25.360{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A927F54838BFD17F75183D57C756648,SHA256=69205A27E4CD73F88C21C62573C6E432889A1DAB493BEC3C2CF356157BCE3C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:26.573{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A069FBA8CD2916742B556671E50361,SHA256=17BDD8A5F876228EA6D75213AFAD4E4BEFD5C8E380AE5B08735CCAE8FEDCC459,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.243{00000000-0000-0000-0000-000000000000}5932<unknown process>-tcptruefalse10.0.1.14win-dc-15.attackrange.local64442-false172.67.136.69-443https 22542200x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:24.238{00000000-0000-0000-0000-000000000000}5932notepad-plus-plus.org0::ffff:172.67.136.69;::ffff:104.21.26.128;<unknown process> 23542300x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:26.390{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACC30D794948B38CBDBAA2276272144,SHA256=9A825E3DC7D8304CD6F9F7B27D9154A0A547D68B713D30B040447A3F2FC27079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:27.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2132C3E38A8810B17DEA0813AC6697A,SHA256=8A1E86259B520C8B7F6C854897DA31C4828ED54CF2F0536EB82A6C3350B3A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:27.604{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49474B6CA5BF24C4F6B0A9A90B9129B,SHA256=5752F033D292A59A0121ED003C407AEA1F8261DF1B9F9601D4B6721EAA6C61FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:28.439{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9062E0D8E7CFD3D9E3AFC753B6291D,SHA256=8217B1588883FD11D9DE48ABB19A47E5DC5962F135EE5A06E8E00AAF23DB4330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:28.635{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695CAFBF386A7946978A0F245FE84F8,SHA256=CDB6E9289EF5D032B77808CC14D6867FC4D72F30EE662537058EE87B50CC2B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:29.640{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1B58B704CC38D094A76F9BA09D0D72,SHA256=FBE95697CFBB7B9FE5E58ABAEE80308D3685504B97F7C21245A917E777D72E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:29.460{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9B97B025B272ED8B1556C4019248C7,SHA256=2CE838CFECA7CBDD968BD2195DF08DDEF609F50B7D2FDC5B2EE4C3862BD5A0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:30.640{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320F30595541EF3FA13172D7697A0980,SHA256=8846A6AE8EED9DCDCF44CA49B0BA4790E6B7207A4B291338FB311D0F04A54F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:30.606{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:30.475{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE5037D0DE387C1E77131840FB34B4A,SHA256=92B5A2C417CB2A9F4BDF6A41525CEFC057B47BBE912AF0FB933F12B0A5069864,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:27.847{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:27.574{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64443-false10.0.1.12-8000- 23542300x800000000000000033804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:31.655{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640E18A0B260525D461F04FDF3FE88FB,SHA256=99FF9A11885BF945ED8EDDBEFEA998F6DA0264F7278993197A09ED0CC521F915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:31.491{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C47BA5F130B91FE19625E40CD510A2,SHA256=46F1706343F8B31B322D1DB139A211F4D766CD9D6816A98608C78AE1131413C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:32.702{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1C180C98D74CB3B88D94C01BC8F8CE,SHA256=1BA18C39307CA57251EB93AB5918FBAB05E1BB48B7A85EE64C880CB0E1E683CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.496{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBC4CD1E1DC6D7DEFC390246978C713,SHA256=2942DBB6048417403B1B0C493C2EAE2947FED335E68627313BB877E7A0E20D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=7AF354B98459FA58522B13B90ABE8C34,SHA256=4F5F891BB7C6DAF28A24E3B3A456CE9E30B058C6EFB10A0660E4AABF023B25B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=233F82A32B69908F92B783731DC549DA,SHA256=60F9615C1E254685F559A69ACB8663ACD68AA786441D0926A0646FD4F1431FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C020350E2571BA29DF23B50EA0C60FB6,SHA256=5CC39106E289336941AA89F8CE96B5BFE860419721B4C3F28C1D2F1A0D6A7E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2B357B9F349F4845715BF5272B985BE6,SHA256=0780D1743DA76A50642C528352D5AC63B30F3A1FFAB15639E9ACDFA6422B5FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=B667915A4BF68AD5C16547FB7A46453A,SHA256=B07793AA5624375DF0922261A96CADE2BE4854C40C129C08643A34247839A7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C40561837F34DE38D8972ED8D5C3D1B3,SHA256=4FE361358E0405D33D1CB00DD6B54E175373C3226AF59C3CEF4317E7242CCC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:32.327{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F67BDD15CABA905599149ABD9DBE864B,SHA256=3CB14A42294830E906B0C8208F7DEC8C706AF97A8014ABD9EA8C10EFB64096F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:33.734{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66D8D81885749F0207675745C8EBC29,SHA256=AA95F1365A8251D73A4A2250D141F9AA2F2817867EF64E4294B3ADBFEDB8406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.595{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.527{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C77ECC9504FE703DAC4C9D87788CE,SHA256=6DDAFB2F593208A2919A78E9D19556148452FC8E03EBDC921CDC5F01ED465675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCCF951197B30F058E71B0BE5F98C1A,SHA256=E54A4F3E40E29D10DAA09018C13F866FCF779925A376329411A2756CF3F7A237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E3E2C74318B670DE2E39C2CF8D3E41,SHA256=05979A40E73D239B950BB202D897B6C89B05D462ABDCB1D4D9FEDECCBD09480D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:34.749{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E8D45D357EDA8426161B98E949BD5,SHA256=88ABC95304A8BC37DD9D4E1372CB93D6463727F88A5FB51474925649E84932C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.030{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64445-false10.0.1.12-8089- 23542300x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:34.545{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59E7CE37015DBC0ACCFB7E8B1FA6BAE,SHA256=3748D360F9099A8BA7E82E8C26A3F544DFF1125D6385ED55FF06923AAD628593,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:31.426{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64444-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:31.425{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64444-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000033809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:35.812{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876E32F4E906EA816F710CCD201C7547,SHA256=2FB97E27F856290F6ED886D6C58A341853764D36F5BD8DEBF8F916B1FA731C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:33.530{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64446-false10.0.1.12-8000- 23542300x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:35.563{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC5B565E1D8747D307121353875742C,SHA256=A52102898325E9C289C43124DB5005A08B26C7E0C54FC37AE080596BA52EAF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:33.868{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:36.563{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663EBE0769440CE2DDCE7B61CE9B90C4,SHA256=7980F067D04394B865ED2C1CF62A667847E01953C3CDB56F4818E74322EDC4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:36.843{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B3557B42011AD0BEBBEB806C06115C,SHA256=A83505EE869DD0B25887677059D90075F011FE2CA2AC8FA5A88DD31BA19F49F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:37.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E482BF79E6ED91F74C8965189F86,SHA256=1B0A0E978C76A893266B764CCE63E360BAA496CF8C5A54D49CDA0E03C04FA4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:37.578{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDFAFEAAEB123951D9BAC504E4F0F08,SHA256=3CF7367EB76F11C863B0732FCCA5145583390A42D332C984F376555CFED57959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:38.874{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7193B614CCA96E0B0659FE90A29B071D,SHA256=1BEB427260A58CDFC4E7336413055080D03E577A174AD0B4E72D37B07C91DCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:38.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6A7536EB9B05297E44EEA4EB1CAB8B,SHA256=A92C77A69866A3C4C843521470D05AFF7C915C52988831BF8D78429812E0B3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:39.890{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A47B5717E25494425E55FBED58C992A,SHA256=B9D6507D9D99E54EAEEEAEE36FF6B5773F36ECC0CEC2DC0CA1A3C263441EBBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:39.607{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE6CCC0D5D25B3B1C1A465B02A3F419,SHA256=5FB50A84DE10CCE0224E63C4C896CA93D9D28AD135342AF8958D5E7F59428053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:40.641{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEA9CB20D1C4D8ECB17BF44B6469AF3,SHA256=29ADCE74AD3F113AE1AEAAE566488A1A211B3FDEBC42A9FF91651513793BFB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:40.905{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443854DE1F4C1F84955C6D9982618661,SHA256=1B7F5CDC7D59263D352ABA43FD51ABF8B91BF32C28A88769743F1E4DC130E613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:41.659{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B424AFBB2EBD651CE6511D9CD487FE2C,SHA256=70456803B07167A55C1E8597CF78E5C4A4D3BD7E59A0A8BF24709E559361AD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:41.921{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39404F2D18C5CA720A8FDEB1646B4133,SHA256=CDC387C433F2B8350DC86E4D3613A82A649096D123E1B1623F4034464BAE7BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:38.658{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64447-false10.0.1.12-8000- 354300x800000000000000033815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:39.867{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:42.937{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B47637AA6119D319F058CE3A7E4E1F,SHA256=679F25A804BFCA1D575D4B578600BAAA2EACC37AEDA7309E506CA42DB90C5051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:42.705{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44603E49A3920B1705FFF59AA0CF3E8A,SHA256=C8A56A0419F4129B000FDDE1A499C455BB4F8FA95982E7E21136800D60049C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:43.952{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF22C87740E9BAFA6D2CF416190AE6EC,SHA256=20F370AED9847F4AA0F92D7D7A70E2BB7E99114C0262CE55BCEE13483B9AD61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:43.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8CB68F494965656D5A0F6A908D1BE8,SHA256=1EEC66B05863D8998CB4475D07DBA351D567868444128E39956B42B5C68E3B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:44.968{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDA31A2D04EB5F467D0C5D9D2C5F329,SHA256=B7F62BC570AA47E3F7E744ADCB2AAFC86DE22907B405E883AB0D38BC62D5B99A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d78dd5-0xd98b1ab2) 13241300x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:52:44.804{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:44.757{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D6BDD04F96DE7B77F49FDA7AE98F99,SHA256=A5E4A5067A8AFE3B42376FA7E93242CF88BBDE7BF65844845DFF14462527A89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:45.984{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60C4464FE5EE9E182A94B9FC46569BE,SHA256=91B656E156336D2633E4A43E0127F66F83176ACC03D72F2DA4B1273B9D77A2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:45.771{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7A3EEB5D27B02E4CA8A3AD55D6E118,SHA256=BC2B9E28D1B1DE4BE9DCC591DCA11B4A909D4D132DE74542849E1907AAEED414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:46.802{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7398DEBB551B812F6C8165F42F84790,SHA256=024E44A5502D602B433E06CD93B415FD24B225E1E5A3F219EE35198BB2967000,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:44.883{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:47.817{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D6CDEAE93C63640B3D50B543482C81,SHA256=07C5CED8657058AE9FB4B611DBC0A2242D23BD41CFADFBBD501561BA003FC7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:47.015{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC33A063FC573B2BF553789B22B02DB1,SHA256=594171D77E8750696AEF98ABF725C34C387EB48AB7E9E6C72C63624A8D14284E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:44.591{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64448-false10.0.1.12-8000- 23542300x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:48.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216FEB572173B33DDD2F5A1162511D55,SHA256=748837DB482538E42F048CE0556EB41B0DA3AE5DFA37BAA09060BE90EF1EB998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:48.048{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6A28C0184781256C52236F2B2BF6BF,SHA256=5258406406F022E73C13D0030B9890ED012CD03FD0C5743DCD73DFA38F7ABEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:49.855{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7EEF943BBEF7178E3C1E4BB114FD85,SHA256=E7FDC2D9112925881FB736333509312DC33B154AD1AAB25D6B7496D0AAFB93A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:49.061{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16CF819C04517C35713616FCBB7CE3A,SHA256=9C61D8AED98239AF62B26AB984A618D23E5AB87B76804DB974F48011BBF9987F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:50.884{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A20E1D49A3FCC357813B331883E47,SHA256=A57EE0B37B3E6F2E2463D58C1B2B1700B05F836A85880C6A0155DF549B4E0157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:50.063{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D4C66898DAA008B661179F74F939FB,SHA256=D0B40CC84673FDAE9E8F59D858EBDB11FF76813ECEB0F1FA3F908851DD6212D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:50.200{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF944287.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:51.898{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7118D0234842E7251C1438A72607E0,SHA256=6345218F561631AA8469803AA5B9995E322D55AF98E575A78C6935FADE4C0D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:51.110{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0105889F431FB75E29F657874D8ED34,SHA256=8F87B85996576372AA5A5858CE6EC738DFDAAE6C4D705ACA586CE4968D9631A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1285917885B54987A67BE664696F5CDE,SHA256=D241848506ACFA5AC642AB4CB7D695BC5F3965801B051FAB3BFB9CD32A4DFFD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:50.822{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51574-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:52.126{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76338731A189D7F3EB5465D3EEF0E4D2,SHA256=0B15C0CB4DC4731AD5724EE08DAD1AAC15D6C2CAD87E3D196AB87CE88FCBAB41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:50.549{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64449-false10.0.1.12-8000- 23542300x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=A2ED357F21B59699863136584ED0CB39,SHA256=C06EE6E63015384060137E746F9408B7C7578B110E5ABD626F48A26CF6D8F407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=13025D7978D7F2E6E79CDB17416B2780,SHA256=15DC583667F68BF48E9DE7191988E70CB5E4A210CFDF485B30E1C6FB43286B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=FAE89A2000CC7E4052EC928DB75B5C75,SHA256=7E5D02C38FF186267532C988ACC494B45B3E805180E86C2C6BA92686544D9E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=64AC2700BB55747B751B6F72C001989B,SHA256=EFB1692212FD20DA3682329147900037FB61B3F581973F4D61C14A5DE1040739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=271CD314C3B363BEBEDD0056E1AA1B0B,SHA256=C8FD1AB25876088D54F87F90482F002D9C99A4FAE5BADA027B3239D89F6D369B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F62E995E08A09DFDD765ABBCBCD40E33,SHA256=A05EF9BCCCB604259AB9B2382003246E63716B991737EF840EC24262BD6239D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:52.382{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4F3D95B0FDFB1B80AB81B14635A2607F,SHA256=C3E35E8FB857D5B29FB35279D672185E87F2EB6D066EDAA354C408E67EDB7686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:53.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB921137F259E92BEF47CC3BDEDDCF3,SHA256=AA2F5349E286CF04C260BB8A12D2F198B83B1870524A2F776C275E45DD127656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:53.157{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EEB780A88C4747F1670D505D5380F0,SHA256=E22A6C4B0960ED5821C3E1E47B6A136D269AFFF3CCE835E819A11EEB0FD17EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:54.951{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D0F34B0C425FFFC5B480E43D53EEE4,SHA256=443A4AE3C1594D445B16AE0D1DACDA9A701F24E4BBE580B1CBEBF4CC056CAB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:54.188{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91CBD4B7C359B28A5CFBECAF7939E0E,SHA256=CA05A8DE167EB516CBA1FEEA9E82E4F93493110D926659A921F9BE3D49E3EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.966{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F559862AAF72B5B195D8070EABB55E18,SHA256=C52D0730AD279E27F0E437595F39F0ED103EFE43D0352110E5638A42572D478E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:55.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5020C9186680B01364E7FDCCF8E47B,SHA256=8DA5CF9C526F0B826C9ED416EE0B32D33A79A2FA794051C776A3B097B7078FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A87-6112-4D08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A87-6112-4D08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.913{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A87-6112-4D08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.914{82A15F94-5A87-6112-4D08-00000000E501}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.397{82A15F94-5A87-6112-4C08-00000000E501}4322004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.234{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A87-6112-4C08-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.232{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.232{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.231{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.231{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.231{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A87-6112-4C08-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.231{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A87-6112-4C08-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.230{82A15F94-5A87-6112-4C08-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.981{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9519723C7CF25DC1FF95A4DCCCA172E4,SHA256=8899A65553B837AB2A21DB22EFFD5B136ABC6CB58258B2A71155BE1478ED2D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:56.235{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DD9E98D1177901F63BB7F2E359D44,SHA256=4A3408E9BD9CCEC1340B106FD692092CF00A10588342085CB686B0AF87BEDA2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A88-6112-4E08-00000000E501}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A88-6112-4E08-00000000E501}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.581{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A88-6112-4E08-00000000E501}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.582{82A15F94-5A88-6112-4E08-00000000E501}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.250{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A991A945C166507648753795A7493D8,SHA256=C11D80ADB2686FD5CAE0D3761B05031856CE0CF49EA02C6D0DA11E381D877929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:56.250{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCCF951197B30F058E71B0BE5F98C1A,SHA256=E54A4F3E40E29D10DAA09018C13F866FCF779925A376329411A2756CF3F7A237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:57.266{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF2E1F2E6DD9BAACE7C31140F488E89,SHA256=3D61C0FB0722909F3276461CC11625CCD50332E783CF39EC48D733356F3CE633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A89-6112-5008-00000000E501}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A89-6112-5008-00000000E501}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.980{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A89-6112-5008-00000000E501}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.981{82A15F94-5A89-6112-5008-00000000E501}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.596{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A991A945C166507648753795A7493D8,SHA256=C11D80ADB2686FD5CAE0D3761B05031856CE0CF49EA02C6D0DA11E381D877929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.511{82A15F94-5A89-6112-4F08-00000000E501}46923440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:55.585{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64450-false10.0.1.12-8000- 10341000x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A89-6112-4F08-00000000E501}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5A89-6112-4F08-00000000E501}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.349{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A89-6112-4F08-00000000E501}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.350{82A15F94-5A89-6112-4F08-00000000E501}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:58.313{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACAAD2D83B0736A5474D59EACC06017,SHA256=6D17958E9E32125D101609D649BC3249DC29E112780792CD96BB8EDA0E0CB24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.982{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBCA14D0B217D5B1CF9B63A1A69DF838,SHA256=4598E73A2E3D45E4749C232373654A20207BE55E1406CD7C60C56DDAEA0AD84F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.882{82A15F94-5A8A-6112-5108-00000000E501}39963800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A8A-6112-5108-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5A8A-6112-5108-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.666{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A8A-6112-5108-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.667{82A15F94-5A8A-6112-5108-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:58.151{82A15F94-5A89-6112-5008-00000000E501}4046284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:57.995{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1252262EAE41813173A39FD97906876B,SHA256=83E45C658E6CFA53F8D6ABB99E76C6C2353BD7226F0C4319E793C5A3659746CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:55.837{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:52:59.345{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57598FFA89A1C17B9D012541F8FDA38D,SHA256=90B713EDCB6771CE1B4D6AF16A60545EAF10C53AD8EAADB2D5E1BDAF1AE6B4D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5A8B-6112-5208-00000000E501}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5A8B-6112-5208-00000000E501}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.213{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5A8B-6112-5208-00000000E501}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.214{82A15F94-5A8B-6112-5208-00000000E501}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:52:59.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B94030F6CBB8704528F5C9B03B2D24A,SHA256=0585FFC7A113DBDF460E1FFBEEAED32608ACCF9514388EBA36ED9FC2D0C433D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:00.376{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC34D707BACDE9213C5CE15FA87C1F3,SHA256=AFA0D298C68F6C72C8FF24F47751DA7B09E83344005865F0C7E4093998C3619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:00.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4530AF1FA13021365CFD3627F52E677,SHA256=D0C9CA223348D12F8D77D8F56AB8C55203CE1632D631DFE99DE81D13AA4ACD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:00.025{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC2A3E5636992F79D21E90625424C8E,SHA256=C031B05CEEE8C4F53B63D2CC6267CEAF41A03FA42A20A9CB55B441D9B9567BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:01.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA346113EFCDA86F1B8EEC7805FF689,SHA256=CC1B7B844862B781BEA15574F420A765109741998F18A335D974B6725964A92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:01.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8803FB99A24F2A3C8A19BD07E19A2AF3,SHA256=AE7093E8C160CFD5DA251AD901762BFB6D541CAC0C328E5FB0A1C48A355B587D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:02.423{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9E186CD65B27606C9C0C8C8186036,SHA256=D946A5BD03BFEDB02FCC1D969A41FFE1BD0B8218A21B26AC7A75DE4870FD354D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:02.149{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E9E4B6599A2EC874E689B0B46A19BC71,SHA256=3A92881FBE1B02BFF3613C2112FBDA906D04CD6D9F894F72ED7DDE22C0A5032D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:02.064{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5828BFED4A3CC0A14FD5985B2A8BE381,SHA256=FF7190313C4EB45D0D29B76A2BDE92A0E35A19B232955FFCC4CBA1AD0F5A2A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:03.985{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:03.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD093B48588592F2918E0FDD93CFCE0F,SHA256=2810A19FC7C92AA1E4974397C16986028BD49EA275BDBBBE74EEC8DC5E00D840,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:01.530{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64451-false10.0.1.12-8000- 23542300x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:03.079{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787606F4B3E236F85FE56FA193958C12,SHA256=E65F576A28DBCD156ECEA02F1F314F747B323F530ECEC7D69BAF3C0451FB5AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:01.025{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:04.501{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003EF37AFF898A10FC2BEE6B789853DD,SHA256=43DCE123CF01AC5AC85A2AB1F0CB3EA1A59521C539DEABC485236E16F10DF5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:04.109{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEA62E1F4054A5F18F29F71D3E8F574,SHA256=9DD27CB20155C19AC95B3F6E675A01BBBBDA346BCC7B54F076D4E11AD67A2894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:05.563{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E00FBF09E92CC96105CC91A9E9596F4,SHA256=6C131CC9CE1626AA23276C75712129D85063F91FB40BE28B7F4ED750F3E6898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:05.127{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916DA72CBDE686A93DE3BDC7206F212C,SHA256=B808D24FFFFDF94C6950DCF75EB318E3F8F15C4BDBC1A2D52A486776BBAE9F0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:03.744{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:06.641{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A833DB8BBDFE02F1A0EC4F7272889EE7,SHA256=4ABF31B9788E2542AAC03A717B9DCDE10F331109CBD6986BFA88CD7EA6105A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:06.145{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760CFE1124B5C3C303724B2187F62EA,SHA256=D5DFDE4698D2A5668FF21250D36A64277CF3105BA98989A80CF85710D126CD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:07.673{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE5F377D2B655991F359BCD50443B84,SHA256=F637477EDC0D48C64A35FF2E93D3B0680FFB23BE4D527647A6FCBC07F2BB48B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:07.176{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FB1A9E7361A27A632BC3FAB5203A3F,SHA256=51296EF5D86095F603775AB02C464BE91CB44214F39E3CCF8EF9D105037A6A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:08.673{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF7F1EE6550958FB9C79327518D0332,SHA256=ADE69129612D6FDCD7FE07A82E3FD1ECDB2AA558C8625F9A4A3210B5249C56FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:06.658{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64452-false10.0.1.12-8000- 23542300x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:08.191{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36389B43607B95E8B2C7D48E0FE76986,SHA256=75B16482252D79E2EB69FA9D7FFB9B3EE5CC07A2C64706C3B16F65EEA4CBFECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:06.869{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51578-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:09.721{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CBBD808226266A8D655D38AAE45EEF,SHA256=D1DE629827265BE64C1C29FDF4235D3FBDBD3D5627A181EB3A74E22E6E4B23C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:09.225{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBB24294DB4816EF4528DB329BF1FF8,SHA256=0A822A7BF2AD870FFFFB492E63288197A356B96B99985C8A472FB8791016BB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:10.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8B0999669839D49741116AA380165B,SHA256=A0916545E918985BF274D1B201D308536069CF250FDB360B54AF66E48C954B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:10.243{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C653B5C5C86EAC977B696D97B22BFB7,SHA256=81FAA640E06C679D962B3D25D4DA5DCD0F2C2569AC0553362C54230C5EC10FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:11.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929769DB17FABCE11977E729784EB43F,SHA256=D852C6358E7CD5715FCDA7F89C8036D4E405EF10319A6E3502622DBC7B3BEF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:11.258{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D093E4860B794906EE847F347E9C81E,SHA256=991456D144DE3C4F06A7C8F34DC6598BF137516040DDA8B8F50CD1C15A3B2117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:12.784{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C85C86013DEF9599E2EA9DFBAAD2E41,SHA256=0D79A10CB603E34A82AC80A3B324EE62DB209A34F36CBC6AC1EA981C090A8F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:12.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266D9C8A47FA4893465E2DB1FDB462A4,SHA256=ACF618D32E4E305F1D92EA4A234F1DB39EB6108BEB574262B97C302E18044DA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.831{82855F7C-5A99-6112-BF06-00000000E601}35681104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.784{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C107C6EB82CF4058F04FCF1E9D3FC8DC,SHA256=5CE15C32DDFC8BDCF8FD6B6FC66C195441E1F0925A180C64E2A827D01C7A3291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:13.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F951540DEF04A3413D024D97D0E97C2,SHA256=3734EBB7F78AA8D030A2AB4E96C6BE4F1DC533379A1A4F12D3550A79F7DCDCC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A99-6112-BF06-00000000E601}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A99-6112-BF06-00000000E601}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.643{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A99-6112-BF06-00000000E601}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:13.644{82855F7C-5A99-6112-BF06-00000000E601}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:11.996{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51579-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9A-6112-C106-00000000E601}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A9A-6112-C106-00000000E601}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.878{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9A-6112-C106-00000000E601}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.879{82855F7C-5A9A-6112-C106-00000000E601}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.831{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F82C53B19CBAE160455089730DDE6671,SHA256=A673EF5165171DDC204818D029BF7DFAB1E65632CE6BE98D082BB5F07E61AA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.784{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50B34DDA22BEA25DB54F9EE8B26225E,SHA256=1CBD49DF94C4E7A0CD2400FE3136BFE5585F43B95C73C9C1DE1C449F956769EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:14.308{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC9D0F79B01D5C2F4BB71C74859429A,SHA256=8242D5F223BCDA02E9220CE597C8737783C487543634AA35D6EF29D7F65F6E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFD8A3B144E4FDD17F8C96DDCC1D0A71,SHA256=C54910AA46DF70D7F86842B51F7F0917018C9505937104C670144EE6A5F3C689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A38CE03D10761DE92B1E3891878E4AEC,SHA256=0F2A25B36A5338A69B2646832327D51FE2DCAE2A6713FDBAD0722F8B2E8C264F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9A-6112-C006-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A9A-6112-C006-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.253{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9A-6112-C006-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:14.254{82855F7C-5A9A-6112-C006-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.987{82855F7C-5A9B-6112-C206-00000000E601}6762852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000033914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.956{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFD8A3B144E4FDD17F8C96DDCC1D0A71,SHA256=C54910AA46DF70D7F86842B51F7F0917018C9505937104C670144EE6A5F3C689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9B-6112-C206-00000000E601}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A9B-6112-C206-00000000E601}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.862{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9B-6112-C206-00000000E601}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.863{82855F7C-5A9B-6112-C206-00000000E601}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:15.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5DB821473F2E92D7D2DB6AFCA640E8,SHA256=C1BA039857D8A0351FB4112E5740C52A6306D46743B71EC344836620A5C3CB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:15.326{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E298830703CE6F3EEDF9F71359FA150,SHA256=5A78BFCE90E37C0D54950F77C3699B9F10F5313E5FDBE40CDFD88877F0DA00A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:12.563{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64453-false10.0.1.12-8000- 23542300x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:16.344{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F78DE619F340B3F5C5F4A8E24BAF76F,SHA256=48E6CA3FED6F2B367981EB817FBA437C9907CC00F205E1C1C9B90442193C5D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.674{82855F7C-5A9C-6112-C306-00000000E601}37242640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9C-6112-C306-00000000E601}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A9C-6112-C306-00000000E601}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.534{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9C-6112-C306-00000000E601}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:16.535{82855F7C-5A9C-6112-C306-00000000E601}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:17.359{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC74522B002820BCC5E122DA5EEC26EC,SHA256=8D637E129C32164C978D35D0137F7EFBF561DA907805995BE0187B2964FD3CFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.971{82855F7C-5A9D-6112-C506-00000000E601}40242712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9D-6112-C506-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5A9D-6112-C506-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.799{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9D-6112-C506-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.801{82855F7C-5A9D-6112-C506-00000000E601}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.581{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD3455C9A66C5E7C1B503F067ED59D7,SHA256=84D47D69820B07D46C7749792640491C5EA135E12ABB7E3E729966D0EB96BACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5A9D-6112-C406-00000000E601}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5A9D-6112-C406-00000000E601}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5A9D-6112-C406-00000000E601}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.178{82855F7C-5A9D-6112-C406-00000000E601}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.175{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE45660A456B3E32AC802C2FC35ECE7,SHA256=D0B1B52D14902DEE5851C150954B285025B7C344BA020CB6E77C091D4B2FF09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:18.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3B547289171EC0435012F3E04D26ACB,SHA256=65BB778F6CECB2AB525F666A023A01EDB215BC7E801E7B725F2FD699E896D40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:18.424{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241950D3BBC15A82F106B2BD34FB0C2,SHA256=F785E157C2E3F846A9753C9E2FC3E5B9B641B7EDC7678A7A0EC0C99ED5320287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:18.621{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:18.574{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:18.574{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:53:18.574{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.62.139016664C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:53:18.574{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.62.139016664C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:18.374{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1BA7E94337FE7B6EE93EDABF927B30,SHA256=5E00F6D5F79D7C071CE641B80B9B2E485F717B0F5123596CFF6D2F882330AE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:17.995{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51580-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:19.596{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B4C1D84ED1E10696FDB66B045E9D9B,SHA256=2E5AB2DF6928442715807B7347859E5DE60739346C95AAD674E2F74DCF0C6EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:19.405{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1760D522C48C1C1F06045E1CF2DEF17E,SHA256=CE40A3C8775E0CF39D7861EFC910A08E315F5D6B5887B63C7DC15C09D75090CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:20.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5E8F4AC7DA7AE015A990B4D10619D,SHA256=FA4A02ABB2A83AE5DA1D99E41507A174CA7B9527070E04BC2CBA17C441DBCA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:18.493{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64454-false10.0.1.12-8000- 23542300x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:20.423{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB97D3F497309D7597593BA03EFB3AA7,SHA256=92E92CE64FC442E83704DE8CA1E1BDD335BDD5BD58F5A333BA8CBE734797C89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:21.659{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AF8577C16A2993BDFDC6E3591DE75F,SHA256=15A344B0388ED9E34809F0C24631A7A85E4012988E17E755B4018BE312020796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:21.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0DA45E85E965710D1FEA954EE753A3,SHA256=82212618B8760314C6489D3E8506781CE53563C03A4A43B5FC5503914E5FF810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:22.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1E341488A4F2480777F0C8548BF3A7,SHA256=9C9131F68AF19618C499EAC882C5EFE2F5DBD4E49CB7CD53D8DEE704A7BD94F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:22.543{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F7106FDE9E03CD9652298AC880DB61,SHA256=DCCE71A5DD4FB1FFB9F17FF6053EDDC56200FBCBE7EC41BC6FA67B2C4B0B9AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:23.799{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980B23E4A1C240A74FA8291EED539F63,SHA256=0C65334591F855AA378FB9A1F1294382DBF6D59509089BBF4FB06CFA47EA0804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:23.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61768393D0FF2C9C3E58FD7DF0985AEF,SHA256=727C4BF20AD540A824129E2C8E8F34DC4BF6BB3FD911B300DDE4AE39D489F390,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:23.011{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:24.815{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E988748768D5C95C5618F254373B5709,SHA256=5BCC9ABF22512CBAD757B3427414B4975B3962737332520E836F1B0D9C04EE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:24.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63374F0E9F11730569E4C2A8FA0AFCB8,SHA256=4C3BBFFAE20C4AA7852956E01397551D693F625BF42B80CE71C9094B48FD3F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:25.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25C5972D9DF48A6CEAC05CD965BFA1,SHA256=8D6E6B32AF0B28729164E7AD43AF642D5B49541DC20E1C2E753FD792A7F17CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:25.588{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02027D630F18112B93E0078949026D13,SHA256=6A462D1B9DE755D68F2CC828AD43D24BA75806873A1A660E3CB97A7CC9CCEFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:26.846{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F01F8F68E9798F027F01675CEE28123,SHA256=DB6EE2C2AFA76F1F8A629FCF795D6A83296C9A584F1A48E0768F3E10B9B9D921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:26.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B547444BEA0EF815CA93B79BA25A9D18,SHA256=98433B8377D61309D2A3850517D1E29390198A13231D0F785B88286D6D54A3BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:23.677{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64455-false10.0.1.12-8000- 23542300x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:27.603{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF81A4AFC6669EC595165285130954DE,SHA256=46F12F5E2C1164E5A6835245EBC693E432EC7CAA12CE48E7A11B7089910749F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:28.620{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362F17F1DD568FD48A0CFA6AE4422390,SHA256=CCBBDFEE1F6CC21157BE062BC1860329C5638B55EA1A610FC5AB470E7AD6D6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:28.065{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9BAE7A0F0E92729B8EE9EA5A53316,SHA256=06B1A4C99E0A1365CF955D5997B0D167E60F2A42DE44B3A44BED73C2034E0314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:29.655{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BC57C3AB76C91C8699DBE84BD32C1B,SHA256=7FCB4194783313E31A1714727AF14FD8ECCDDAB8C68F743D8076ACF539D77642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:29.101{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED57D522BAEDC1C6FD5BEF3149C654E5,SHA256=ECD1E1381EA85E1646CECC4A5C1B3E4CECC8F965F9A1552A9D9C08F0A5325D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:30.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F9604283709D698B48A7E918253F86,SHA256=3E5E0595E01D458DAB9096BFC754672728043E51E7E6A7BB71A8BD8CD91864F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:30.117{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86D8F2843BA2FF9DBE5908D1937DD77,SHA256=8DCE518FC43C344BF4C0B2A8C99FA2E60F3829C43A8D3371F9457C60F4125E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:30.655{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:31.685{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB00DBFE5835006B8BAA6AF4FE4591D5,SHA256=D76371899C6650C68486F91A9807A27D30EBD4285BE7B40010C2ECC3D9A68737,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:28.859{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:31.132{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB069378B1E13854E868F46715CEBAE,SHA256=A521A1163D502585F4DAC6CD5D1EE2885AEE81D1509C48DFA6310EDB212E8505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:32.701{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74122AB7DFFFC91497880500067F33,SHA256=6C865CA15229688BC2B28A24F26CC630C7327F93B314E1710A72FA322E3710CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:32.148{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAD11147B3CA713A928B0C872D3E64B,SHA256=67D0AB0A0647C3FD92CDFA7219B333B9EEDDD8B50F8375ADB69F4B8A687BB194,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:29.556{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64456-false10.0.1.12-8000- 23542300x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:33.720{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBCBA76515FC73E23778BB0BA2F5D46,SHA256=87B73A345982F91199138F52B08A56753506C15391C48B140C5859BDB35AF140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:33.148{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EE0CDAFAFD26EC0210617535B2D7B1,SHA256=2A0EC02E81FCA53007CE21F8BB4E25B5C103825AB47B843DA940248ABDD73E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:33.622{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:31.437{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64457-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:31.436{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64457-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:33.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1564544E51A118E49C464FF1867C1B0E,SHA256=9089828CCC21B1C20BE922456DB476BDD77BE3097C773D49472A417D2CA729BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:33.021{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D3072E75CBF0B460F2C9D571EA614E,SHA256=765CFF05E1380D8872E24EB81865FBFF2CE77D685AE233580D51042FD04A9860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:34.756{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4A9D75AA9FAC6FC74C3851442DCCF5,SHA256=96A0FAFF00C5333E9C364BE25C1637B015B706A492B2450BE60AA524D4788387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:34.195{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC3388EC89593CF015E73FA6953953C,SHA256=A43C9B982EE72803B157F760BFE7FEA496AF0DFFAF2654D63B66967BBEEB9C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:35.824{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EFFA0329E3816274DA162EC7F2565C,SHA256=ECFE88B66ECB01D0FC324E18C3A53FDEE8826F75EE3C442C890E6223DF1AC290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:35.195{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA66D73CABD17AB14AB6C022F02C2A67,SHA256=135618D44DEF4242C59E5C9205E11AA7F763ADCE83A1D0F47F883AF67B848A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:33.035{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64458-false10.0.1.12-8089- 23542300x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:36.839{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DE26A13EB2138FF6F3F3BDF058962D,SHA256=5EA25C0938A434C5283013BDFEFC430A5E8887F298A885E2B5A8D26E24A8304A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:34.016{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:36.210{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981EFAEB81FB581A99842F52C2C24FD6,SHA256=E7CBBEE6A77269B5DB16F0E9DE61C25C84D9DFD95F607D0010AE7E05C27986D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:37.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E99FAADB144D2C345DE7426C09B12AA,SHA256=A4E5F678AD7D63DAB099C5A58073FD65309A9A01B606EAD095AD6A517D080729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:37.242{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5654A8BCCD037EEE9318DCD023E2F334,SHA256=963D0836D1ADF9CF5BD77ADB914C26035CC8685E15B002C9CF084827500716AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:38.884{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038D7ECCB438BAE9922E924B1130493F,SHA256=15E1AB9889127D9FF0848D306705B56DE0C81D2E407ACFF112A4C0875AD923E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:35.553{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64459-false10.0.1.12-8000- 23542300x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:38.257{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454797BAC846AD8CFD2EC840771DA378,SHA256=3D2C7C62AF29F4B33F9D0E02B0F5AB98E66929A849C6ADAEFD9DE12A488C990B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:39.899{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E6BB9150932620F95829A97015DAA1,SHA256=FC9ABD796F363B9BB97D53A17415A36DA02417FE85246FC83AA8578AAC9D60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:39.273{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEB76B88A02E7E38D0FAD5A2EBC76B1,SHA256=8359F316765521FC26AB01C5122EF9E02B5EFB3DCAC14F7D4ABE478C59B488C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:40.917{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293C3143A3C35490742EF96B164B8D8C,SHA256=5BC876D323293102AB65C3A81EFA83DA9DD05D764F31C169AA18A8903F05CE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:40.289{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60CE2A0E4C308FD013DAA69981427D3,SHA256=A2F6DE7EBA3D45FB7DA460ED9A31A04AFF53884D021E9BE7D914743F1D8239B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:41.937{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6443F76770F7E4B0BD4ADBFA751389D,SHA256=35A5AE173152DB2963665A556C5E0D91A21035BCE4DD1CD2C9CBF21BD2DE45AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:40.000{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:41.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8603B32F00FA45D1D9816599A4E645,SHA256=C80E61756F76F4C13798A93114A79395187DC19ACEA11D40B0825CBED3C1DC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:42.968{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A8F7603B80908BE713641BA20CB766,SHA256=95A24DF91EA6AD66E63704AF7C055EC869FC39E12275C490517B96B14F6C3469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:42.351{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAA7AC94E61E1BB77090DED818C26F0,SHA256=6B488AC9067135EDFFE8A88E69321BF0197A8CACC671471E76EC8C0B51A334D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:43.983{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A4C0AEB1962E5E6C7EFE285E9B77A2,SHA256=C74975D25F66F65E2C183053EBF3B5A66C4E16AB5227A5B78BF19431483F2504,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:41.571{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64460-false10.0.1.12-8000- 23542300x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:43.398{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E6D641ED729A8128D1F7C0FE5F57D2,SHA256=53ABB4783A239876525E715DFAA2D66D7BE85D93CFA79F5105D0AC736E4A7D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:44.445{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FBCC190D1891052A57DC3C4EC37827,SHA256=049776324E65854FAD16985B3E43A78109E0156D8B56BA038A8456AEF1BDBB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:45.460{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A216FD1AB07FB8DD22C1DC9FC08B0487,SHA256=3319675DF9EC0860AF62287989CF61EDD5B3266D4A124833D11BEDCA086B4E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:44.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DA5A6128E7D4F5BB0E38ACF83796E0,SHA256=2BC299D2441B1447718BCED5D4CA7A821DAFC7E3205BA4B5A97967B612071E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:46.476{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577992EFB2294A1E37BC0423F36824D7,SHA256=0D313D3670F07C231AFE01E764B09668255C45F9511E68E4FB284A31A15A4522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:46.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8293BE544D53F3BCB7C9759F178ED9F,SHA256=D5ED1B4C60CCFA000E944F904B6A62AEB65793D9293135B05BB38C932B2D1C22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:46.000{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:47.507{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303943936E46B2263BF75392161EE15E,SHA256=2225F5173899FB7B5433EA2FDAA9E5BF3D8CFED51B1A1B65D26F4F6D5B768750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:47.049{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4370B0BAC1A4154D3AA4B5D82AFEAB,SHA256=5FDD457BB537BCD03A7D3234F23D7FF24A7015C532E7116F256B848BD3E33E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:48.540{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBAB3365E5F6AB9A72CE7AF8FD3D70E,SHA256=F4CE3A83D495683EE3F05E2AB2AEF9F259579E6CAE082E54667E8676E3C0B220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:48.064{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F2D7C619F1FB6E5C30F2E3667A6065,SHA256=4E693815169510A0BABCAF09926E0F70F55474EC5361238D0F2B56C84B59EB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:49.543{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F05F14F71784F4B5ABCC39E63A3A8B,SHA256=7FF25F0598E8325E0B1B60CD0B3317B18DAE66D73B632C97AB24F4B66B0B0164,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:47.530{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64461-false10.0.1.12-8000- 23542300x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:49.079{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C438D9A68E223F9CDCD20B6E1E4D8DDA,SHA256=BFB108461C8310C8C5B3D0350A19C137129F7C3696AE95F6D263A720FAEE8208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:50.556{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269FB78BE245210AFA9E104C2AE74651,SHA256=8478ADBF2133466BBA85845DC5A750E06EE50DB694625FCE99F50D7FEC5AD4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:50.112{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D50573463217886FE3B55A4E2E673A,SHA256=1C0776639D69A01009D4BB28179CECDBDE819E16542EBA847AECA8EF5704978C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:51.572{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367AD9CA3B5FB923C9558106B5D386F,SHA256=FE4F04AE294458272FD0E41EB645537099EFB60D1D2ACA91018817F3E239212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:51.130{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884DA30AEED9E22FECF7703ECA871BD1,SHA256=56000421E2F35F43127BFFBFD864C56316254E617F20C5AEEC24BB4EB2A83C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:52.572{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F0EE0E7B853DDAC3A82B11B180088A,SHA256=3EA1905A774346407E7BB645CBF0F3D9A9ABC6E5DF32DE7F8325BCACA7DBDF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:52.145{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8FA562D85A898EAF6614C6FB87A8B4,SHA256=70A066F1471A03441DD86A3600D972290EEA608EE3DACB1D005705BC63A842EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:51.986{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:53.634{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3675574346981B1DD9BE99D5B39023B,SHA256=67A615D8032B9F0732C9D835DDF6C2DD55D65E5A11592BCA5294D14103B4725D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:51.252{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-15.attackrange.local138netbios-dgm 354300x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:51.252{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-15.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:53.159{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4898059CAE88565FCA49D2BB63E7166A,SHA256=0C70FDA434E520584218C3F9F2EFD4D9BC697C7B02DC9EF82E4C799E4B450A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:54.650{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7E1296664B2D3445A4C8F7A917C775,SHA256=6F802154983EAA1E67F396ADE4B34C1DE74CB619AFEE28D5C8164FCD7725636E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:54.174{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFA61C134A1C1321BD6830556D06342,SHA256=D11B991858C8002A108679136D4845E6A86E29E1E6795D8F0DD4C48AC943B1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:55.666{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8DFA5B90508CFA3FB3751B8BE51D51,SHA256=43E4439D4E810A2F8A88608821F63604DF4CA1637E6296151822A8E143B1C065,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC3-6112-5408-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5AC3-6112-5408-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC3-6112-5408-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.927{82A15F94-5AC3-6112-5408-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.909{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.908{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:53.493{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64462-false10.0.1.12-8000- 10341000x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC3-6112-5308-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5AC3-6112-5308-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.243{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC3-6112-5308-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.244{82A15F94-5AC3-6112-5308-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:55.174{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D710A07CBAAB8A01D50CEC2CD0B612,SHA256=BE337F6EF79312F9FB26DB73B0397C09410B656800DAE6AF3ED063E17A318BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:56.728{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FE72B0DA735751CD48A1AC9EF73F1,SHA256=B0BDEEB517C7F07FF52966085054B8261E93E2AAB5FB3027A8DF56E198239B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD34434F8C72E30442D37FE4A179B2BD,SHA256=E26F0F77B0D0410B918E238E8DDFF44ADF6D0D6E0E32F1F63A1934806CFD1FC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC4-6112-5508-00000000E501}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5AC4-6112-5508-00000000E501}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC4-6112-5508-00000000E501}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.462{82A15F94-5AC4-6112-5508-00000000E501}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774E037A6D5AB6B6B52E3F8F50C49E14,SHA256=4A4A16654199FDBCF1D22443FE74B8FA8078F318FF16A1BEC114C02A53BA7E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E9B9129BBDFCDAC44F8A0C9F7F2E13,SHA256=08D02D431C593CE0EC416D60AC2710E68063C4A67395DA6EB1021D3D13B68A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1564544E51A118E49C464FF1867C1B0E,SHA256=9089828CCC21B1C20BE922456DB476BDD77BE3097C773D49472A417D2CA729BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:56.111{82A15F94-5AC3-6112-5408-00000000E501}58885660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:57.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8691F21109342286F2D4F8EECA569A99,SHA256=096EC98A9E9B4F878440FC4C308EF2CCA91B595D48303A13E518246D1BDB9B5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC5-6112-5708-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5AC5-6112-5708-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.988{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC5-6112-5708-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.989{82A15F94-5AC5-6112-5708-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.525{82A15F94-5AC5-6112-5608-00000000E501}3005128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82881872C232A43CFE9E62730FAC7850,SHA256=4548DCA314E2DA75C92B8A83FD911987404704F4C90727F07BCBFC46A6250567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774E037A6D5AB6B6B52E3F8F50C49E14,SHA256=4A4A16654199FDBCF1D22443FE74B8FA8078F318FF16A1BEC114C02A53BA7E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC5-6112-5608-00000000E501}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5AC5-6112-5608-00000000E501}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC5-6112-5608-00000000E501}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:57.357{82A15F94-5AC5-6112-5608-00000000E501}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:58.806{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CF37AF06092C1FCC3B04CE73A1303B,SHA256=0DE82D21074A2590F3A0A757CD9A4FCEFA8B8FBDB8D44017729A1EF89E45A636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.825{82A15F94-5AC6-6112-5808-00000000E501}66646224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC6-6112-5808-00000000E501}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5AC6-6112-5808-00000000E501}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.672{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC6-6112-5808-00000000E501}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.673{82A15F94-5AC6-6112-5808-00000000E501}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F85482B27CA50A9B67490F5973BD80,SHA256=4C76DC1B344CF0ADD5B411052AEB9201841E1A502162FC6ABBAFA5C8E5246952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:58.141{82A15F94-5AC5-6112-5708-00000000E501}4326568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:57.908{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:53:59.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9174E358B8F1BE06107B04B6DA54084,SHA256=BDB67A5FE44E318DB85CE01FD2155E16FF04E938A30C942F38A8687002355311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.610{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A277A39A15D7E15502EFFB96FD48E964,SHA256=98C034638BDC15B7100F8F469791FE29806FD802EAEEFFCD9B31A2B30CFF5FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AC7-6112-5908-00000000E501}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5AC7-6112-5908-00000000E501}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.340{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AC7-6112-5908-00000000E501}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.341{82A15F94-5AC7-6112-5908-00000000E501}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.006{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBBCBCEFF195A5AE4A829207DC0343F0,SHA256=974F243C9B3C5006085E715A1BEFB0A5D91971349B37D69FBC590D6087FF660D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:00.837{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8F2ECC72EA9773044D5B7D32319DF9,SHA256=1D5C5D4B4B7FA872BCA7F7741AE6A65EC1054BFE1FB0B68AAA3C210EEE56D316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:00.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C83E9BB33A112F4475AC13E5EBA55,SHA256=258F27C7DA918D1250DBE11E5BC94541C2B244758CE8B0D0E14CD2BA0497BE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:00.341{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D763B81BC7AC51EBDB0C7B5BFFEBA9,SHA256=331F9708DE81EAAC4A222A57D325533A64751EE6CFAA08C7FB305C13C1C02716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:01.884{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115B805AB00CBE4EF14F977AE08FA12D,SHA256=274A9C215B362DFD1414A586D3E9684E69DFDB324373BC326354B72EBDB4B4E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:53:59.538{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64463-false10.0.1.12-8000- 23542300x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:01.655{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8282D3DDF97D48705E9D26F43CC8B8,SHA256=D8B9D1960B44786A0A33561ACEFDA0EFD18875F3F2FAD9E94EBDF59E7357A793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:02.670{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05D4D0DFBB8C7FEDD574097C2A174FB,SHA256=42841E9B086F91EA9DC9620C2F5F05F3667D8283B47CEE1F143468EFEFB4A676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:02.931{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDECE6FA9417BDA5B3E4825A76CC5E58,SHA256=3B08A1623E7A4264B2537D7EB78F9645A66978CB5FD9492CE5DA461A90099C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:02.155{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CDC3DF6C5ED9A2EBE444C4C2C498F0EF,SHA256=75A3B8B607906BF74A8497DABFB3A006A4D801443BF9FFE65DD7ECAA2DFA375E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:03.686{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB637B4AC71A2E659AC955234E1B865,SHA256=F91B5DCA42411CF5671937FDEB27214BE4BF1410790D1B99E3A27142B07D991F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:03.994{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EFDA2EC121815B4F0DEE67E0CF3249,SHA256=10F71235FF6D925E18DE7016A671043A1DFDEDE162012CB77CAC592075C3C8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:04.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48B8F185F4E9B45FA7F8111FF4B204,SHA256=3F29D30164A56510D162EAD2D5D904D21107E147AF8E6FB9AF5E5C17F5A22E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:04.009{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:05.722{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691FA98155457A770A88FB01B15DF8A9,SHA256=AD4A0B98533B8490CE7C21E4BF188800A985F7500C9737FBAC3DAB70835FAA88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:02.939{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:05.009{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C219222EDAF7B4919EB6ADD71BF4EA7,SHA256=9C6FDD663BFCEBC97A175844322861A00825F421686DB7E98556F78DADD3BBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:06.753{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E164DAD1DAABEA2B4628710B065ABD,SHA256=71ECEFD4766252667625E5D7B08D257D39A1677A46820B20E4952CFECFE0A396,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:03.767{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51589-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:06.009{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314ACB0BB97FFBE04FC0ACC0F36794F1,SHA256=063D02899F8ED075E16CAF480359EBE9E578FF38391B39851CB7C9242D6D36A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:07.768{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877787F620E61633B39192E7880DBA14,SHA256=4310F8492A6231AF23F32A5DA74E7256FADB57EA6EF121C75E4B7BF61A4F96A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:05.194{82855F7C-3681-6112-0F00-00000000E601}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.79.73.243-57023-false10.0.1.15win-host-456.attackrange.local3389ms-wbt-server 23542300x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:07.025{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F5EFDA87CA531F20DC23DBA1225CA0,SHA256=ADD3DE96E9148527E5A25E040467280827DDD46FDC0574DC1BD56BDE8F694420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:08.783{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A635178BF6F02C4A7CA03EF3CA7DB25F,SHA256=7ADE3116EA748D72438E67E13970FF9D8E674B26835824DFE7F02F24D3E10F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:08.041{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9FB6A306C214290337104BAD279258,SHA256=ADEFBE41BE01AFE2CA7B1F8D3A91A5E34F8F9292658438C3DA07162F153FFBD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:05.557{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64464-false10.0.1.12-8000- 23542300x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:09.786{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F27DC43463D794676D202B63CAFE57,SHA256=C9E80264F580BB39AE80D87FE3E9A0F43EA73216EEF078B78F282E5ED9B41547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:09.045{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6E7E41FEABB17ED2999948341F434D,SHA256=0624935D7737147A7F36A040970E207079F78722664B6A3A35987E04CF0090D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:10.806{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EE31EFB3FF0725755D3F0DBCEFA7D7,SHA256=C93D7764E644F98F0AE76AE8C16CB39FA130BEB49193746525A40FF729ADBEF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:08.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51590-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:10.264{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D85C43AABA48BA08F39A0F8986075B7C,SHA256=D85378387758C350740E4FDE4BEADCA305C3F499E81BC46669CFE6FBE4C8780F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:10.264{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC05000872A0E75A0730999FC3907129,SHA256=95932AE5E88169F2CF93320AE53E6EB6C785AB4F89848F27B10A5FEDE762DB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:10.061{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E226AEA3FFEF69C2DC6A654287C129C3,SHA256=AAECF53B94C5768131B58CAB902F48A7C097FD8DD7EC529479DF5EDBE6DF0455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:11.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5C671D48781EC071CBAE23C35B855E,SHA256=FC674C0EB581DB4E28E5E70FECB6F2298DD35378B0868BDE060237AEC5D737E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:11.077{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E2DA526A27A1AD9C3CAB7D48D2A979,SHA256=30BD61821FCB0930F17CC168B4B6235B95282EF2A601FE0D701CDB25D505D05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:12.870{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085B166E1F99F9AD964FFA8EE6FD3347,SHA256=21CACE357A6FC494130BEB4872FC0CCD03D289F71FC0CA2BA47FE414B73287D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:12.139{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D32876C050835D26172145F9B2AE72B,SHA256=99C7AB77D6B78E1F2002110EC49A7EE2C8B4F01F76A6ABB887B08AB2DB7291D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:12.601{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:12.601{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:12.585{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF95844e.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:13.885{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33045B20ED4EE6ABC99B7AF51BFAC103,SHA256=1AC6A2E8F245E86E79B3EC7BBB8756772A1C7C812B67CB54AC891F6BE75C931A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD5-6112-C606-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5AD5-6112-C606-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.655{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD5-6112-C606-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.656{82855F7C-5AD5-6112-C606-00000000E601}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.186{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96002892C1BB44D81BB9821061AD3417,SHA256=2CAD8553DF3519782919828DC09B13877540FD782C0389E7D5D9BE020E39E4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:13.569{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:13.569{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:14.902{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162C4975A18C2BF8926221EC19F06E43,SHA256=85391D298754047A4E460D628126EC2D2B694A4734029267D6B29B08CD919363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.842{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0378DCF2A5C36306315953058ADA33EA,SHA256=1401DC753F8DA456C3062EBC0674C308119C48204997DAE78AED7BAFE016FD33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD6-6112-C806-00000000E601}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5AD6-6112-C806-00000000E601}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.827{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD6-6112-C806-00000000E601}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.828{82855F7C-5AD6-6112-C806-00000000E601}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.748{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D85C43AABA48BA08F39A0F8986075B7C,SHA256=D85378387758C350740E4FDE4BEADCA305C3F499E81BC46669CFE6FBE4C8780F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD6-6112-C706-00000000E601}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5AD6-6112-C706-00000000E601}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD6-6112-C706-00000000E601}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.327{82855F7C-5AD6-6112-C706-00000000E601}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:14.202{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F173D4AE232FA14C63CFCF7054F90B15,SHA256=0D03ED35020BBB46231BF22650CB565462DC43D121E8CD641F8DDACDCB0DADBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:11.536{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64465-false10.0.1.12-8000- 23542300x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:15.921{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782CAD3D3FF3B7FE982514872C403705,SHA256=A72BB872E3E10048174C4CFA0028AAD65F8BAE1792099CF6C07AE2D9E025F88E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD7-6112-C906-00000000E601}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5AD7-6112-C906-00000000E601}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD7-6112-C906-00000000E601}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.875{82855F7C-5AD7-6112-C906-00000000E601}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A202153EE3F89030BA4764106A5183,SHA256=1174F5A6D5B1E0C9D971DE14AD4C70846C9E98388B66474C0810B92FDEE935A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:13.928{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51591-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.389{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9A08FB22FAABEF59844C6D4C647C6,SHA256=8F7FE1C0D590064A800130F64562E48FF07562A6843D6BE1C781C8AFB3752E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:15.077{82855F7C-5AD6-6112-C806-00000000E601}8801548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:16.937{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E384BED03B8BED86DB33E2C9AA5E6313,SHA256=86BEDC3FF5313DEEC145EAA6A736A3EBE03F3905B2AECB52F359D3702EAA4EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.906{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E098BAA5F17B5043161B1F3566E95A,SHA256=E22F59E8A6A3EB14018915EF1F6595C85A44BCA24B635368CABA927ACE958D93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.687{82855F7C-5AD8-6112-CA06-00000000E601}38242016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.640{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868F1EAC579D60D513BBD52EA1EE056,SHA256=173CF6842ACEF501B7D106C302944344E7D862728E7A2608711D7E1BE2C5F870,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:16.301{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:16.301{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=0D350B60A6B62FAD7121C4AFCD50CDB3,SHA256=D200805EF897D8E7752E96D21115B644873B919D75E6FD72F9572362BDE86A12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD8-6112-CA06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5AD8-6112-CA06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD8-6112-CA06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.547{82855F7C-5AD8-6112-CA06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:16.062{82855F7C-5AD7-6112-C906-00000000E601}18643220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:17.954{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C331853875A5EEA7E4403CCA08CD163A,SHA256=0E5D89CC91E636D54D9C0CB1DA08D394C44F4656DFD00B32AE2B5B7CAB125130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD9-6112-CC06-00000000E601}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5AD9-6112-CC06-00000000E601}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.890{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD9-6112-CC06-00000000E601}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.891{82855F7C-5AD9-6112-CC06-00000000E601}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.656{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B192B8CDA006CC4E983B6EC238BB604,SHA256=182EF71DBE195CBB70E196DA48DFA1912801CB4E3E1FAFF903575D038B26FC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:17.768{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:17.736{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:17.736{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:54:17.736{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.63.140180706C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:54:17.736{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.63.140180706C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.406{82855F7C-5AD9-6112-CB06-00000000E601}25682816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5AD9-6112-CB06-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5AD9-6112-CB06-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.218{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5AD9-6112-CB06-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:17.219{82855F7C-5AD9-6112-CB06-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:18.969{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF7B3FB7BC5B56A6FA971F726E3C80,SHA256=023C8C9ADE7508466CA6A75A0DA9C9DF401CF90E8E6C5C33FD260F76617BF15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:18.687{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C678DCEF0421D7924E3DDBF7B85F9F9,SHA256=F00E2F1F27BA4641DF917759C96A7E4214C4F4BF4643306C39619275331D086F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:16.266{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64466-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:16.264{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60391- 23542300x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:18.234{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D680D60719B51C2DBAF5305FBDD2B43,SHA256=D69B2535129DD09D953A37FE972840AE87AB4562FCE620456CB0230F66F8582F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:19.703{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C84D0B814324590BB44A035842BE7,SHA256=99B62597F5DFA639C14FA5338270994DF99E6A5E4A6980D28539164DCE660942,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:17.535{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64467-false10.0.1.12-8000- 23542300x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:20.718{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A158B9346D7ABB9DE52639B80708CAB,SHA256=7445E502E4263E0D572589077CD0C77AC6A3B04CEF152AD697D75F1D8D5A6790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:20.003{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9B6B6D907B1CE3278F8BB350F30DFF,SHA256=A65F1815D6C4BABE3F2A0B424B4D1B563DBD4FD4AD2A3AE9D2EEB8C8CF4D4370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:21.719{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8F59A8BF69D53A9C5905F81202C531,SHA256=E9D6256B18F14AB01393E243170A7144CE500DEEB21DBE605C844DFFFCAC1CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:21.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A860EFADCDA8BC2C37CE6009C7AC4DD,SHA256=AA11B10F5A7812F678A15317DDDEE7062E9041EE56007814E023C490D5E2768B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:22.750{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71B0022946CF02066595EC411D98D4,SHA256=69535D934CB33B30B8434D217FACBA66869DF173BBC24226BED77D73F335CBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:22.054{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBB99AFF7532DF9D23474BE700EF95,SHA256=57F9BD7A79781D9B6B4E301BF40BFEC3C51E5C3255F6C6FBB5511A538D975E58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:19.898{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:23.765{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4CFF9F395A99C2F8FF0D0697C6647B,SHA256=CD20154983303064C279E0F4E8F87042A110292DA0881DBB51C5ECEA84931193,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:21.395{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local53661- 354300x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:21.395{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local65535- 354300x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:21.394{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local59600- 354300x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:21.393{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local58512- 23542300x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:23.054{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152EAE1497ECBA9893CA0602DBDCB2E1,SHA256=3BC2E31081579122C6389BCFA355A292498BA3C13C722438C1DA7E8526B30B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:24.797{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E931959DF5016AF488A4C09871BECA7,SHA256=74175A017C23E7ADE309E494BAE85A8BE4F131148B7770D83ECC037BA5CC04E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:22.604{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64468-false10.0.1.12-8000- 23542300x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:24.069{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1028B813F5A3091B0ED7CA80B90D82,SHA256=88ADC269DF3B1D1672F93D4E5F613498186D3E712DDE077DADA3EDCE064FA197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:25.828{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A427053121DDA88F8EBBC9C439BD587,SHA256=63E4E8604FD6BFA83B4D53B966397E8FFA430C9C5892BDF8A68EDDBA8C67673D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:25.071{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B4B600F4661F9A318C293B3A0CFA5F,SHA256=AE9C1288B521F1D7A8B910D8409874A89D1C9AAA8E0FACF5D4F5D8015C8057CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:26.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A193662DF9E38158DEC5C5E96D4F54,SHA256=EC0661CCDA19216CCD8C9F49FCF57D531191490BC401C84135FF9BCEB234B8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:26.071{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E285D0644786604F108B68CAA9F64F2A,SHA256=4A0AB8943D462AB5B58E59F1954B9D471037BAAE168FF8F0BE29C87692928E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:27.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18E918D31420DEAD168A3578B9B23F5,SHA256=537AFE1FCBA2E14515603EB3A7970FDAA3EC38794D125F83BAA17669056ED237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:27.105{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7715270D587E819F17CC9886499B9910,SHA256=58E97DF583FB61B925F4735745AD035474614EBB829E53C45693BC728246BA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:25.835{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51593-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:28.123{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A32858ACDE10C932B5B0BCA8E0E590,SHA256=EDEACDC2A1B9EFD1DF09D7AB927AB4CE8AC38F937F22EA2001265F51EC2958F1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095c733) 13241300x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0xb5ea3af6) 13241300x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0x17aea2f6) 13241300x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0x79730af6) 13241300x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0095c733) 13241300x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0xb6101a59) 13241300x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0x17d48259) 13241300x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:54:29.702{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0x7998ea59) 23542300x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:29.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECE63725B082F489A0E8F1BE432C420,SHA256=6F80A31745E29C9B67CF4CB0E73247342D002EFCCE7D908F3C2671E076D78B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:29.015{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804ED2C4280FA758ED03C2AB16F24A39,SHA256=7B247593F80FEA2B60B622B3A0F892877F206CCC9BE22A6FC13B377F40F5CA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:29.039{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:29.039{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D37D9A06527BDA5092CB4B26AD5092C1,SHA256=B1C7E8B0E50DF6774425D46F92657615125D7E11E58B60EA91494BE421AE4B78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:28.574{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64469-false10.0.1.12-8000- 23542300x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:30.570{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:30.155{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73491F79DC226B08AFCEB3F8B849E74,SHA256=7A77698B856EE99CA7F5CF851F6BC95ABBCB24F6D5A80C7733E46D8A1A3DDB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:30.062{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98026E7B43D7BA444F69792C051E35DE,SHA256=0A6AFA7272862C77C8E21AE8B26AA4EAF7E00C64BEA209378554CB089CA44FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:31.223{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AE1E5726BD9143B752E9253F37F384,SHA256=51796296067D60F8CC2ABB1DEC6176B2EF93BFD495FE8B897513AF948EF867AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:31.093{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC2EAF967A13B0EB793A944CE9BBA66,SHA256=5DC36D2E330312009A6828637FA139542EEF341B84A6EC8F501BC61B3D34A4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:32.223{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BAB60E0C45312028E6232DF3373188,SHA256=E7EAF95F8C0E6D3141046C7D414C38E124C012300DD95D6D8CCB313001AD49FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:30.960{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:32.108{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529755264045E6FD90CDAA84ACF84479,SHA256=E377B00D789C50DB072FEF0A2E204B7F1648730840A42FBE6EE30DFD4F78FF42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:31.436{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64470-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:31.436{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64470-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.653{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D94F2ED2858F3CDA6B357D1ADA7C9B2,SHA256=9CD02D668DBEC706C35E991CE1C731B9263C9BF9D5A0CBE8AC0BED6062254411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:33.171{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062C46B98B4355FB833437801441B6C3,SHA256=898AC1AAC40F9CA1EDD903BB6EA93589955CFAA28E68FBAD2DC9B6EDF586C5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D85C7F79FAD4B41890CF7DF87EEE612,SHA256=A76909F92970C7F46C24D32A008FAB7EF3F1AF5CA293EEFB2B43EC8357812ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62F8B85E3A87A5F9BBA1F3824ACE1E55,SHA256=488876B8C1A2E0CB28A2948EB2698A06C6181669B50173980F6C3BE9943650E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:34.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AAD20BA1FED442F73B56CB41CDA5F2,SHA256=B516C64DD3624FF4AC133D41D31BC7472BFC01166C25E4DE39D472E0B24B8996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:34.187{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A0A4B7F25FE417D4A671A5369F36B7,SHA256=0B156842AB0FFF257317D01C1EF8D9502F797D4B3DD2F40B5153FD41BA389274,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.588{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64472-false10.0.1.12-8000- 354300x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:33.072{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64471-false10.0.1.12-8089- 23542300x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:35.271{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9F2EBB12D2E81783522F1474961A40,SHA256=93BE52B61F34EFBA5DFE03CF3D7FB3350F1F8044ED77F596E2CD9F2401DC76C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:35.202{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E076179860AE9C775232B972ED1A54A6,SHA256=336C88AD4FFC74A61AA8AADD179F8B1B049513559D86CF681063F841A89A2682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:36.218{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDA776FB8ECF70EEB4DAB1FE625D4F7,SHA256=8CBF0D73F8F93499B06788A0406F3109E55601655BFE6A948F1BAB60A4E57463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:36.304{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D638E6ECF4376520A99C8B8ADE46281,SHA256=4EDBC2474F3B6C8793E3EB709A6011C5E38C78884079CB342D256F6C23A4374D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:35.960{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:37.280{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB18B70801C0E8E2ABB19C48F09E969A,SHA256=868BECC95548D46A9CA9823353BAF21E6F9D48AE46E8C63B11559B9FBE7ACA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:37.322{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFD99197A0BDAA890D0C96FCD7BF975,SHA256=BA9355DBD071101BAF5D09B4AA4B83ECE5F47B643CE933A56A9B973DDD16EAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:38.296{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1F38BD5C942564F425B97946D37E31,SHA256=E4A5F57BF87AEFED0D74C6033E0A7D83F84DB380FDA2A60372DDDB8F72AA4525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:38.369{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E55BCDFF5AB8D43174681C6A67C64C2,SHA256=9E80F76F0FB52ADA896D6C3F04FAFA1BD05DFE0FA02E928EB311E2BE6DD55749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:39.343{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0AACBC586FA505E911E453B7854041,SHA256=C10A05942AEFEC26FE1934E60141C7F02DAB09A420F60BFACF350710900BC49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:39.384{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B4027E9FD3BECF1C800F5BDE171AE,SHA256=B93C67EB797D153DE8D3B12AE261D6F2AFACE29E75C6EEBA9225649A3B6735B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:40.405{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF25D38F75160AB868F42E8A23816BC1,SHA256=FBA9062681515FAF81E03C1FD72B4203B0D98D8BC12B11C1AC7A1873B61E3752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:40.401{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BAC4DB862D887AC40DD2F27B435FC1,SHA256=5259085090466F506981C2613DC9B8A565C5D2A1491B5AE5F6CD533FB0FCC43B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:39.534{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64473-false10.0.1.12-8000- 23542300x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:41.421{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC1773A8067FF1BCA6D27E1C6DEBB78,SHA256=2E969907EA9E2352CAAD3DAFEEBEB3B7C239123F7790A9BC9B2FC97358BD7F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:41.421{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7828B8334DC1F9893729FA3C5EB123A,SHA256=A92DBE18D26E8E70B43F8229358EE154B52C8DFE46ED0D0C0D0EC36F37758560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:42.437{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F163BD8AF089D46D4698B67C5F65174B,SHA256=C338658A4D7F42F284BE700F08806FB2D269E9CB9EF8EB787EAA96350AD06E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:42.436{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A467714A39DB2698D5F86D2DC0F21CE1,SHA256=3BC6CCE5C0E9428A3B785629BB44A7D35A0B567C71E8C4DB0C9A02187F60280D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:41.976{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:43.452{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689FDC85CAAFFB859ACD18D0AC8CD5C4,SHA256=87FC5E2F11505E04ACA4BC8FDAC278342BFE08D249AC5D996E77A9977ED0E158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:43.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D478E072DC0B9F9189BB6D6634493C0A,SHA256=3D1C912916220B67EFD0AA9C2CE304B6D9EAC9BD6E0E001B23271094BCDA3BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:44.468{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D4BCEC53ECCB9B4ECB8BB4267D275A,SHA256=821BE78196A64E441EFF116ED6A4D8BAF9C05B2551922C1C9A6FDD9BF1A3969A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:44.466{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B5D589CB8CDFDACE1765F7E0A1ACC4,SHA256=CB0BF1A636A7EB163D3BE333A0D391FCDDD4161714770FCB4A7DC495FA6E6A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:45.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10694C8E6AF0ADD0404AB637A3FA33BE,SHA256=9A05F1F8AB42805A1338CB796A9C0BBD3EA147592C3A31F40EE826E810EC95FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:45.483{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834E2B80D2F23B75F50AE98AC0EF3437,SHA256=4BB9C5A48F8ACE62049DA3D9F2ED21A79AA35673257C7F42643CCC57C8F71C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:46.515{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE4E0ABD2A599D8F61964C652C1A75,SHA256=9AB61E1C455AD1797B4003481EBE1E6C4AC8731108398317BF9C9163A2BFE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:46.500{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96C8B1FB0F0B4C3CC97409CD3DC3CD9,SHA256=FDB2B49CFB6064B8618B1CBE30C1BF467B19DC1C26A13F13B0D85CA3F42B595A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:47.546{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ACFED3E714DCE0404493D9CE3979C1,SHA256=9B59DB70A46003628F2A21196345FC81C5BBAC72D58D390BA35D8B3E78D8CEE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:45.484{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64474-false10.0.1.12-8000- 23542300x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:47.517{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AFC5F80E04777FD33D07A83278783,SHA256=18E81A3D0C24831E638EEA80917ABD4E6F617D4726121DA54A3B4087CC4AF224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:48.577{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A698400A5F2690876C4484EBBB928D65,SHA256=D7D93E982B9CDE5F418BA1EA43D4F6DB79D29D68576868A9DDE99B3F96E35FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:48.532{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3CD7DF5627EA88B36E541EDA581A4F,SHA256=A3118B1895131D6522BDAC63F71ED35183A1450BCB814C35C6353D32F58DF6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:49.550{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04481EEE221D6F96EEF197577C9345F,SHA256=BACE75D39AEE27DC879854BF61DCA01D2BEE6D83FFCF454CD0E877AEDF24C539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:49.578{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085C677363928500A23AC7897C2EE524,SHA256=26A6B8F9EDB77F3CF6FBFC803B5AFE9B9428BDF56FBF956038054DEB97EBB761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:50.580{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DF11C69917F26CF1E670D784F5180B,SHA256=B5BD18796CBD6CA9B8D9293F2D1B6750C3C0D5A80C9FA6B43CC9E80B189C1B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:50.581{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B7C6ACA77AAC6135252CFEC02FF875,SHA256=E704EDE1C0AB0B0871F167ABE2B11D85D84D9D95AC535672D972B597D70C4503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:50.218{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF961757.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:48.006{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:51.583{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD31EF40715589B81718ED9A2184EF6B,SHA256=C94BB96F15453A3F412FE1C700535F0E18B823EE51A2C7EAAC6BACA5D9B554DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:51.597{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E298CC432F73FC8CFCAE8350BF1F62,SHA256=4E81E946972E5D8441B3D01F8A490F250B0B3FD56C095FFB1B659B1DA5FE3994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:52.599{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD57BA0F77BA8BD6C6E72A66C720DB3,SHA256=81CDA969C1456242E02185B918B9266AC0BC4F2B1BBD540C63ED1C5EFFCF15B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:52.616{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E35EB5654BA5998E6F0B12251C19829,SHA256=17BF4388E8FA776E070193EB20E9C7ED7B509B7E39561E05B611E08079A9054D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:53.631{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E23DA6FCC885472330BD7D6EFCF69FD,SHA256=4E6F0871848CC22A663DA79F6963CDF18F8A9490BD32C3DB8062CC5EA14574BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:53.630{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101C41F4AFC8D59098D0ADC6C9496E7,SHA256=6FC05F900F33E4038171F7509D5142D917A4AFA100C1262CE591CF0210925D89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:50.499{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64475-false10.0.1.12-8000- 23542300x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:54.662{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4707DB8D4230DFAA5899F3553E7158E8,SHA256=005697DD2C325A742BCDC3B93AE10B2D2D3CBB203E0477A4DD87AA7BF8762FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:54.630{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE2D0C2529D66CEB6B1EF3DE1277AFF,SHA256=9AD951AAFBCB8703108CF215EAB74941F6373D064AECC7B5ADA6D1E272CCC6F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AFF-6112-5B08-00000000E501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5AFF-6112-5B08-00000000E501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.945{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AFF-6112-5B08-00000000E501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.946{82A15F94-5AFF-6112-5B08-00000000E501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.697{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC3AFAC001D82F5F232C99F5FD89F61,SHA256=972D307F2DB8F0DB692014AB5DD3EE37BAFC27F0CD690DCACCFF1623AA173921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:55.645{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA613A37F7A2D5BD9CE17F333F7C8BD9,SHA256=6AD0FA38CC1A8E75278CACC1EF1F1A697A71DAD9B040F63EC195E57A249DD797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.430{82A15F94-5AFF-6112-5A08-00000000E501}46402228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5AFF-6112-5A08-00000000E501}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5AFF-6112-5A08-00000000E501}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.261{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5AFF-6112-5A08-00000000E501}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.262{82A15F94-5AFF-6112-5A08-00000000E501}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.729{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0F83F98590E1986F7300E541AA6353,SHA256=64868A8702713088C83057C1D5CBD9F3EFF79BDF260A69F916D34D8C5B1B53CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:56.677{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6284BCECC05A4919FB458EC992DF00BD,SHA256=2C12A283C1BE95D42B80B089F8883151310865A71F42894B61EB8BD23B5BC95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B00-6112-5C08-00000000E501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5B00-6112-5C08-00000000E501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.613{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B00-6112-5C08-00000000E501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.614{82A15F94-5B00-6112-5C08-00000000E501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF1B0885DD707C9CC80448B76356D471,SHA256=C4B3C0990810AAB7D576D1C4AA8F1F04B0D082C501E8FFF650BCBC792A5E3693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:56.276{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D85C7F79FAD4B41890CF7DF87EEE612,SHA256=A76909F92970C7F46C24D32A008FAB7EF3F1AF5CA293EEFB2B43EC8357812ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:54.012{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:57.692{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A212D1E03B2CE57D8F3DCA2F2783CDD8,SHA256=6238184C97F9DCD448673FF49014CAA4E7AC733BBFA61D779D0A58A12564D2A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.997{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B01-6112-5E08-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.994{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.994{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.993{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.993{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.993{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5B01-6112-5E08-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.993{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B01-6112-5E08-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.992{82A15F94-5B01-6112-5E08-00000000E501}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC4F2C05390EF852AEC23BEB9571E2E,SHA256=11621DD157DF8BB4F82BF0E53B9EDDF6029E7A3C2F83ADB271362C80CCAC6FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.660{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF1B0885DD707C9CC80448B76356D471,SHA256=C4B3C0990810AAB7D576D1C4AA8F1F04B0D082C501E8FFF650BCBC792A5E3693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.544{82A15F94-5B01-6112-5D08-00000000E501}60046128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B01-6112-5D08-00000000E501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B01-6112-5D08-00000000E501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.360{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B01-6112-5D08-00000000E501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:57.361{82A15F94-5B01-6112-5D08-00000000E501}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.997{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCEFDBB97DC61BA6D5D73CFAE0D8340,SHA256=3500A11CE8B58414D8A5F8D9DD94F4100FE96442FC273BE7B83D716838384C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.843{82A15F94-5B02-6112-5F08-00000000E501}71325660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B462F3348DE1B3BA7160C627E468A3C2,SHA256=7D42A101F7E686AF53DE16406F3F2C9ABC7F42934660AA54530ED3B3F64B40B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:58.724{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6333A5D1B0803D484C634114D11C5C90,SHA256=628954FBF0007DAD2CEFF1997C191874B8DF2A3E7523147660F86538BFB4ADC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B02-6112-5F08-00000000E501}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5B02-6112-5F08-00000000E501}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.675{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B02-6112-5F08-00000000E501}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.676{82A15F94-5B02-6112-5F08-00000000E501}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:55.664{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64476-false10.0.1.12-8000- 10341000x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:58.144{82A15F94-5B01-6112-5E08-00000000E501}46642724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.778{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3AC48C4A422CAE89178DACB616D425,SHA256=AF31FA4DB8632FB9C99DA7D8663A6A3D6E90DB1C953411D2CFA7E820FC4AC4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:59.770{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C655FC5C3F323004E5D9380B1915B0,SHA256=954CF05000D224EB9CE2F4254AB73251F101FA2E6A37C768083E49817B7BFDEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B03-6112-6008-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B03-6112-6008-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B03-6112-6008-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:54:59.348{82A15F94-5B03-6112-6008-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:00.815{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB23740554EEB8ABDBE78E449348402D,SHA256=1F7150D853AEE41E4ABBFDD480C2D2430216EAF4077199D2D122CF3B2072E5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:00.817{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB3C132CA8DAED0AC05A36691EF5534,SHA256=89C0D1E3F36818C096C76462F5B88EA5A893C2EF16F43E559F86A7C36751647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:00.362{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC8EDD2C1D26EEE67AEA8694429F1D3A,SHA256=4B019B8448EE7783312DDDED52B3EF04836F0EE8F3689DA3E7A186460A557DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:01.830{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB560F286EAE5218D23E50201A98E6D,SHA256=D5571B4741B956CB987C70331BCFF6EE22A61DCC09DF240C2F0AA255EF4C2B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:01.864{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8283B8B11A8704D069A48B395B46687F,SHA256=F7E85541D0095E396E69E345534A1B24658711761B730795F4F0FAB493EAFEEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:54:59.950{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:02.895{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8773D25F891DB4008894FE2D49BA64,SHA256=A034D4877CEB203290265A35D8DA572CE59EE81E277BDDFB6A777668199ED241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:02.847{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A319E5B4E6CCF09CBC4E8FE67692010,SHA256=EAE54A89E29BA8A4DB6D6B7643D6CBDE2406A8C42527CFDEA1B598246237FF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:02.163{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBA60A04BCD24EB4880C54D4323904D4,SHA256=1CFB827F6AB870FDC32A0EAC07B81B32ABE44A535AA0B4A2A1E4681799840154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:03.911{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DFBBDED43F125CCA364269BFD88BB2,SHA256=F4FD8EC67D66F266FE4BE0B617B2FD9200CDE0157556295E428EB16ECEBA3EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:03.877{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB0D1A142E99726FB1F8412C65EB1BA,SHA256=469141235D3CCB0C7825B2A8CDF9812645FBCD2DE22B62BCCCBE73B3BBABE29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:04.927{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43547DA82991F80DA187727B257301D5,SHA256=F18E5D1D479991CDFECDCC0B4CE1E225AAF532391529AF3620A1923B5FE35ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:04.894{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B166FD033BC3EF2B63576DE56CD6C6,SHA256=82A6A9F66C40BBAD16C4C2A7BE857E42E8C0177D9E9C1B0457F045FEF229D254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:04.036{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:01.630{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64477-false10.0.1.12-8000- 23542300x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:05.974{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F9D6B76D0A59C97B36A0A8355EB2D7,SHA256=21346B6D9D605C7505690B93B8AB10378BB8F04776E171DB0DAB77EE2BBC2C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:05.897{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC8B26FCBC7E73463DE6B2EC53E1EAA,SHA256=4A70D05284F544CA24AA4FE2BD37397FAEFDA669F0DA81645251179B9FC94D16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:03.793{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:06.989{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA84AB59176A0CA9AF29AC818E84AE8F,SHA256=716E89596FFC4395B0F1CB67CD76398396EF05EDBBE1EE20F840689DCCB25D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:06.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB7FA31D045AF7F82D8CB4A5D41D071,SHA256=710A29027482812E9A9F6E01954138D00CEDE9074F593E48A8A6BC6120A4BBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:07.989{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746DC993C137F7AFA5B7E1BF4B579FA0,SHA256=B81DE48797A6F632D18B6CB32F97CA7B436D8E92C3BC1C3241B377615D7FEA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:07.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7122B96955ACE4C6F6CF2909F1FAB1,SHA256=ED71AF0559C601EDE0615719B9666F2D8092D440B2F84341F57850D0E24B3614,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:05.856{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:08.935{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AFD769930AE897C882C3BAFDF7CC40,SHA256=2A6A3F8A2C57D6B468473613DAC3BDC01C999173D332D63C5B18D5F704C87A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:09.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CDF4F1FCF6BC33D7EDFCC60C1DA76E,SHA256=7AE8941D1CD659CA24188042952653E9110A20E6FEDEF9B999EE13AC6E65269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:08.997{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D1D10B6754807ACAA356B4238B0470,SHA256=F76C729D247EDBF3ABFBB34482D4FEB7F2E82FFD0C8B832ABB6A8F0243D03015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:07.526{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64478-false10.0.1.12-8000- 23542300x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:10.958{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6ABEF95A8D8D6C54C17C265011E108A,SHA256=5DF71028C4439585AF0427748AFEBD9BBAE150B71939574D1A8157AF6E99AF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:10.013{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEFC9041E8930600848A0028DE14F33,SHA256=7434A5EC779AC5F90EFC96F268EF4947BF4F49E773113AF60AAE203C49CAB55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:11.974{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C03C13B35F5B383BCF867F2580852BB,SHA256=188EEB11FACFFB996783B27DE3990CCE80CF3EFAD04ECD1C6F2E0EA25E0E6543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:11.029{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306E58100FA4A04576EA259BFE5EC83F,SHA256=C796EE8C935294A24549B5BA870CCBA8E60E843A6590F531872F4D010BF15E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:10.864{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:12.029{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BE97E630EFA5E25B6E4EC410E5ABC9,SHA256=812D7A00B580276418D120B41CB0A546F1BFBA361FF88A42DFB5ADD7F1710B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B11-6112-CD06-00000000E601}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5B11-6112-CD06-00000000E601}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.669{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B11-6112-CD06-00000000E601}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.670{82855F7C-5B11-6112-CD06-00000000E601}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:13.029{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B69B17F33A447A2A7F01D7A1A9E9602,SHA256=6CAA0AEBB5621633D423D828C0F514B2877BCF038D72063D3A4969F0470F7802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:13.026{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ACD261592E7F0DA606032E28BA6492,SHA256=CA2AA9B92FBBB602D9B5B3BBAC8CA3163A7328CF2D211BBF3BA942E2A91724C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:14.041{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964353EDEF3A373995AD703FE5ED730C,SHA256=313196F61FABC6CAB0190D677E6449474420E1788425C5AD67F0AD54B73008E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.857{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0D91A5944482D011BB7A5B0E32C1A9D8,SHA256=12C7C84D5ABCD6A661D148F5C5B8C5E3A85C13A0FD495F5B6BBB416F07E39DCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B12-6112-CF06-00000000E601}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5B12-6112-CF06-00000000E601}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.841{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B12-6112-CF06-00000000E601}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.842{82855F7C-5B12-6112-CF06-00000000E601}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.732{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0231BD21E776DD4579B01BA444FA18A1,SHA256=EA6C52DB11042F200B3349655FD670ED9D64EB7F390A7455606E5E3F6742230D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.732{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=623FDE6C18A043ABD55527CBA029B7AA,SHA256=E9649AB7BBB97B45AD4C9D900546EE61964377C878763800E0CC956D64D41551,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.341{82855F7C-5B12-6112-CE06-00000000E601}1888724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B12-6112-CE06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B12-6112-CE06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.169{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B12-6112-CE06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.170{82855F7C-5B12-6112-CE06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:14.060{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71935AFE839129D80C13D59771A1B0EC,SHA256=17AD4701B7E2ADD8795BB2F43C0819D30188A4659CC9B02A32CBA063CF9897B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:13.476{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64479-false10.0.1.12-8000- 23542300x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:15.057{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD80E029C6C3DF3FC32F6F030EDD72B3,SHA256=E5FA5E234C6FEC1DF0407F3ED6479D9E22049C62A2B8358B91D80494EE48468F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B13-6112-D006-00000000E601}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B13-6112-D006-00000000E601}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B13-6112-D006-00000000E601}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.904{82855F7C-5B13-6112-D006-00000000E601}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.857{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0231BD21E776DD4579B01BA444FA18A1,SHA256=EA6C52DB11042F200B3349655FD670ED9D64EB7F390A7455606E5E3F6742230D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:15.138{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3D6E971E160B8E82A34A39BF3C9CD2,SHA256=9DF77A0E8C986C41EAEB7531F22E80F7296FFD7EB59FEFC143EE94202BCA3142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:16.072{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F95EDE948A489D4754982D12D86835B,SHA256=FD73963A4EB42A7510B06E6575C077C676C50C13E204349940DE027C2796B7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.919{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8D2846A51E023FFC220BA89E9091CA,SHA256=1D158BB33197D73E45D71D19E6C4F3E506068582F2A5E677299F4D19B5B546CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.701{82855F7C-5B14-6112-D106-00000000E601}29841940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B14-6112-D106-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B14-6112-D106-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.576{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B14-6112-D106-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.577{82855F7C-5B14-6112-D106-00000000E601}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.185{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FD037C6736560AF9BA5878A69229F9,SHA256=E7638F3241A28BC315CC8B452EEBBD63E124C8EA0814E773DE4AB3A21833597B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.060{82855F7C-5B13-6112-D006-00000000E601}26603036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.889{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=E0F094F14733825D861630EC5AE338F6,SHA256=98042208C0CE333714DADC069E40A0F735A049BEE0729DCAB94748A596AEF5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=5E57CC37E4B6FC809C5E9C426877F142,SHA256=DC7F05DBEF02DFC45B932A650EA03448F95F77EC5BBAB86618832461E4D60A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=0EAE44B08DE1C378B49B2CB801D3CDC8,SHA256=F85E4ABA54E1280B08211BAE8EA4124D0305A9E5F690001FC4664DF61161CCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=77BF2F4956202C47F242E096C64A6C55,SHA256=C2E28472D3D8F7EE1856E633E171AE6ADC41E0F2C09BE90B4C4C67CDD45B8428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=493EF370067A1284E2E16BC6EEDD7870,SHA256=17019E73F887EF0D0CCFD4D7863BE67C2344BBAAD35A23934C714A69F468CA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.856{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3E44E03C8FA01C13BB35A2A198DA387A,SHA256=64587C9613C99C94A1390B7E950D890C971F6F45AC5C399EF81AE05260CE8FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.840{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1BB9B3AC6BB83CCD99E74910AD6A64E0,SHA256=B00CD1F985FD23D00FC612AFCB4383BA0509AD8B547287B0C735EF9DB338A6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.771{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.771{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.771{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.171{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.124{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.124{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:55:17.124{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.22.56469796C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:55:17.124{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.22.56469796C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.089{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95DA5FE8F1602F79459617144A64716,SHA256=8BF3EECCBBCC09A87791439DACB13C9913C70966828890FE07543A09F0BEBDE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B15-6112-D306-00000000E601}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5B15-6112-D306-00000000E601}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.919{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B15-6112-D306-00000000E601}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.920{82855F7C-5B15-6112-D306-00000000E601}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B15-6112-D206-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5B15-6112-D206-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.247{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B15-6112-D206-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.248{82855F7C-5B15-6112-D206-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:17.216{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AB8CCDC02FA6339B6FBF7DD044D5B1,SHA256=697CF1DA2F55A97B1B7BFFFFC6E7B4F383B83067E37AE194798E94B46B6A7F98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:16.864{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:18.576{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606BFCDCC59ABAFCD14940B54F9B99F3,SHA256=2087F718127E08C176398615C085770F20CD9FA9A3FC5D671BDB591300834244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:18.576{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD81A481CECA21428143EAFE5A21640,SHA256=CF4317C683F71965F8157A5227F6154ACC517A72C944415A51502CE8829099E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:16.623{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64480-false104.244.42.193-443https 23542300x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:18.171{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F22FF9353BE4150FEB042320D5D9FF,SHA256=D696FCE03BFC1C1E7DB67F0088CF4F0A0912D8EC3E3B334D22940A1F893EFE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:18.138{82855F7C-5B15-6112-D306-00000000E601}37562988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:19.591{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADD8D89A786A5109733EBF7BA4C22C8,SHA256=99E4F33978220A719760F6D293B32324B781B6E4D4F3650ED0A509F9D93A8B8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:17.296{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64481-false192.229.233.50-443https 23542300x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:19.189{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1628F9D9D0E7B932F1F3E6CE8D03FBB5,SHA256=012218063398F174A349A9442052A5BAB1978510D685836808D464721575CA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:20.654{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D3F923306569FB690D15AAC25E4AD,SHA256=F8F0C2F94140BDF4DAFB1BD989BB3C96A47609A02FDABE52CE7353FA6C66D2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:18.505{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64482-false10.0.1.12-8000- 23542300x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:20.208{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E81EF3F6775A7B8A77A149FA6F3624,SHA256=C9D08F052D9707C202C90E1FE3C2808177FF3D72AD60195D2E8FCD4B0ED19D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:21.716{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A158BDF763AE360743A7CC1B0BC512,SHA256=21053A2374EE1D7AE6C3BDECE0AB449792A5924B942E549173E99707B54191DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:21.223{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E84428A037B6C54DA476BB317CBCAF,SHA256=80D239FCCC4C4B3877560A2BD33DA819CDAFA3CFB1BE193D7EB4F6760E5AD414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:22.716{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E945E747BA41695EE85BE764C1C5B056,SHA256=34FEB2944D6355D8DFDE528E0F298958A5C489427245A8D23022C088943D2D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:22.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEC844AB6EB02E7A5CE5D63F79A9C8F,SHA256=7CF51D6D24B6ECAA5572564A2A3270FAE2780C842C0C406BB0F867965DF8622C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:23.794{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7476ECC2741F3EC990E5887FD5D36C0,SHA256=6FFFC4D204F231BAA04F673EDC673C6F497559091520466BC25EF2D52BDEDE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:23.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87952B924CBB60DE73645F9DE1B75A47,SHA256=4A15E977D517653DFE9C54980BA773155A7A8309616593F213795E477B3F63CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:24.857{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B2DF04840D697ED26E1649A9185E13,SHA256=067E8D31D7FE5141F85879912AC71298E26C9DD3D923DA067F7832F6DA69ADB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:24.253{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948E00E9E43A9A2D8BEEE1A35279CA69,SHA256=6FBF71403FDF3D513329C48A718A866DE86A531F63EEBF86D0378F9212CF911D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:21.926{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:25.935{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01EF1610089DEFE5F2B4CB07A854B59,SHA256=DEAD0EF26D8A6DCC2989B3DE667E783E70258E6359F20E6AC6355FB1283F4168,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:23.672{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64483-false10.0.1.12-8000- 23542300x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:25.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F061EC65A7CDCABBA0D48BDC153BF73A,SHA256=93D0D3EE01F1A7ABE40F5EEC91C43A6D96140C64CA7E5330145EFD2D9ED2DC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:26.951{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CB7C497FE8463FCCB6FF6AD5C1CDA5,SHA256=342002309430E965798E2A94EDDAFE18365FB15FBE3BB5E139D1F3907911F3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:26.288{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBC892FF662CA3F3715B5695A6F64E4,SHA256=B4506F46721887BC20DAAEB43DC6157F262A992F3783D3F1F1B0F11A3BF833F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:27.303{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E3CF66AF21142BC34F89E2DC7B20FE,SHA256=1B22D78D021EBAA123BA642729986389F37800865FC90878F7431A09C4635A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:27.997{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D853C0BAC217EFDCE590BBA3950D2F8,SHA256=AAD5F8AEBD8D6400D15D554264752DD6528675AE084EE3C1EA191C5A7F40C341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:28.334{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522CB0741709E12B0F9E7B264A66DE5E,SHA256=8F51B347FAE7DFAAB2A294E298836CC1D05D74A30B752236716B18735409F4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:29.349{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238C7722586BD1B1BA9CEE0E4E5EB52E,SHA256=AADFEA9AE99891B6773CFAC2268CB503D84F1BAE740BB5621E4D0B15608BC6A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:27.926{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:29.002{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63219331276923E8A191C5821A088F88,SHA256=4773EB79F900B1D3976513532B3ED8705A388ED8A9E60D73C581DDBA7801C6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:30.364{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AE5EF9C9F80C1C217C14565B1F77A9,SHA256=1C533A167BFA03B346770F4FC135EDD2C301CDB2E8C160D05A19735F5D6E678F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:30.018{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B92664AC5D1CAD22640982C95AA71,SHA256=BDA5EAA867793E258840F2FB00F3D3D9934C2B406EF6F22C2E94A91645259A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:29.652{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64484-false10.0.1.12-8000- 23542300x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:31.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0640A2F1F6AB007A2603D69888EDAE30,SHA256=421D6AC07550B6BB851FA67EA701C10A5BC4A99EE9A8973A2A7A7668D0A5BA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:31.033{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CB309FB3C0854D6DAC678938BFFCD8,SHA256=889469E10217A3B3DBF5FED8917C8E3FBD6A4920F069CD83739F710FB152E8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:32.049{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E68DB270DE980C683B56BCCF75531C3,SHA256=1ADC92D5CA2E11F52E50CE3E80A0C03642A952F65FF4614FBE7CE76674417CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:32.831{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:32.400{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2AEE3BD8585CF84E18BC5A79B493B1,SHA256=8BBF3E69EC97936CE01F831E7EDF5C20370A787519E904377FC3FDADF496A0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:33.682{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:33.462{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF873C6A1CC8046CE86D71490ED0EF4,SHA256=B27400D0202805093D7A3E076772B290691E5FEEC9115F8DBE5B0C5CD7A57B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:33.065{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3829F5FBEEC4C47C138166190993015F,SHA256=F4AD2F01C21979AAD5A46E6D8158E870E0386AA9630EB4EF6E2898F181D41268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:33.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9487AD98B55F19DF16752C4D03EB7B40,SHA256=72AF46DA97A06DE4438777D661BB5681AAF49341A9F954AE645B16E89A2095B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:33.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155F94AA25D1B2B86DA926F40F95BD29,SHA256=EB8C6A2F7428D2BD28887C69A076ED176FD37DCD2304746E12AB44B0CFFF6E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:34.480{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D02DA3148C4CBE3A7C8C75F248183B,SHA256=FADFE832197F619F46C4EF9DFECB8B102000BE4E72F0FB8B1342B5BD98F2B5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:34.080{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F829B135FD688C6D176A00CFA8F9F,SHA256=E6A65604E133526E36B9C17439B1D0F9D2F4E7E40EBA151CE51A49584F07F78A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:31.437{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64485-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:31.437{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64485-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:35.500{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE42FF233DD58737D621B6E2B5BADD4,SHA256=AA34003DA8B4324D97CC3A6568B5B32EDE8404760AAF831A8C7A96846ACBA633,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:33.915{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51606-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:35.096{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9629E545A15A29A4BDDA62B3EB2C3172,SHA256=B82A37EF2C4D9314C050F0EA1F47057CFC23DC984C29A71C22D588A6327C486E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:36.531{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7DEDE148DC404806FE7C2774FDF47C,SHA256=8E2984CFD6E7ACBC7F3C2E6DE846C9378F967460B986908EF0697A2F08444D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:36.112{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D56A15BD51EAD46AD45E4F907A5B24,SHA256=C5985C1A666C9CE1DE51737E2EBE7D3EB5E190EAD753691AE2A8FBF44A3A4BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:33.097{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64486-false10.0.1.12-8089- 23542300x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:37.534{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E197E6095AAEB2A95EBCCBD6E60F1,SHA256=02FD50204275364533120A9BE133C019BA045A68DFE10CDD29151478A4422D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:37.127{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36492F17BBEF3AD52E064157C3D2C3F,SHA256=7BE2607A98016550A3A76704754BA097459130351449761FAAD3F105E8DC1DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:38.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED34705D148431E7217563B2040421F6,SHA256=557EB219A102DF0B48163CAD9CEFD48EAD640D215390B845A6AF4D2C8D39672B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:38.143{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F495311E13C46E12F0731689CDEDC3D,SHA256=11A795FCAFE1008760CE515B405A4F2D7B7442A70B7B6B3AD749159C50BDC1FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:35.434{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64487-false10.0.1.12-8000- 23542300x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:39.563{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1323BB49C3D9B050223F282E57390D0,SHA256=D2B61E7AF30437F026891FB67E3BCFB17E5C25E6FB63D2505CF0030C359E873A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:39.158{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEF4CA283A58A199B46E6E4983EDFFF,SHA256=67414E0C518BA67B4109BFD791BF3B637461E66DA726A519AB4324659ABA745C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:40.581{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B971C302BFCA5380EAC590884DFE4674,SHA256=CB96309805C65FAA44FDCF07CEC57A3E4B9AB16E89E3903124F45BA730D9F334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:40.174{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C233F0FB6D1AD1A08BD1A5FF42832887,SHA256=E7DEC18C7A2795C43B691F87CD886CED57F2DD2731C61DF5DF2286612E1C8FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:41.615{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C079C02B98B6F365DD730076BC218DB8,SHA256=A135F14E09BF61DEB937FF6C9E5FAE1CD2E0F6C3FD1EBFB76562007E0F693A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:39.884{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:41.190{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D4EFEC88B2BF98E33C1A9C2722FB51,SHA256=380C1AAF15892DCC022E47F78B80788E0159F46B3FB258F7D0D90CB54F5FCDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:42.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F71221C87AEAD40B1651D94A779ADD6,SHA256=C465AA901CDC3E4C2E7FFF757D8F78D1AFD9469657419924353A78D419F622FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:42.205{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74152774DC443811F53CEA991F20D12,SHA256=586CFD61851C00BB1C5B3F92235EBF712C7FE6C4497E8BC869CD9A9BD0CD0158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:43.645{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E840C5E8B36AAB8E0EC7B0B92660BD75,SHA256=8B94B466086C383073C5B6E1BB37A779B2B8DE9DA0BE48F681C5D89B81698055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:43.221{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767396993857000D7B13A38C4C525EB2,SHA256=4E54E0FDD41A24C5D1BFAF179B3045BB20446F394CED490F65BC36A4760D17BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:40.513{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64488-false10.0.1.12-8000- 23542300x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:44.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1400F9732A8AA0BF287D7CD766956ABA,SHA256=C6658D759EB0A78A2292B478E21A1A395BD90C7201675D88F21A927587031788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:44.221{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B086AC13A1A3A8600B27E319AA4F5,SHA256=9ECA1B3D7817E407E54CA9D78C90A41E13A9DF3BAA5A2076680DB1FA67DB8EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:45.712{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC2F632C78666E0E3733CE6C64F2089,SHA256=345107929C24CAB804251D9C24F8FDB715F7EA803C4C417DE051E50221362CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:45.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A71F7B978162CA8691C98CF09AC552,SHA256=87579B19868A4954AAC41C04AD8316EA58220725C679369703A0842C5439B41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:46.727{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80005C886BEF34521B79BF4964BDA37,SHA256=168277410672B134F1AA3D10486C9267BBCB90D76BDAF4F4B10761E66183F896,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:44.915{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:46.252{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5E124847E0DAA000280481A38FC3D8,SHA256=61136FE323D180A1200E7AF38EA2B71C2615ED26118E79A427B0DA2F6447C66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:47.742{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BCF5F11C07CA876DA37D8C721B1B20,SHA256=F6BB7086414F82307895CEEECE17D747D3317F265078854E7A52CC863AF580AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:47.268{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2CD7C9EC954257CDECAB5BB3A18AF4,SHA256=D7B14BBE5D6F9DAF47C23523E0AC109E37E5DB1E0009AFB486DC12C10189EB7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:45.646{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64489-false10.0.1.12-8000- 23542300x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:48.757{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86346BD006A19AF08E37E00971231293,SHA256=A1ED8802465C6B63D7898040B77782996FB635040DB804016042F6203FAABE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:48.283{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120CDF2F0F07279C38BA0ECD9A92431B,SHA256=32C25A299A128260D7565A15F4B075627F5AA3CA007621297050A0ED524C8EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:49.795{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3378859E90AC6FDA8C54F992C13DBEF,SHA256=C0947FCFB199A33A7EDFC490F25B3285E4A620FDA99AC0FC29C7D617A503EA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:49.296{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFD4B7CB8A287766A3A0306DCB53A2E,SHA256=4703015D9724D45EFD26C35C572660CB06CBDFDB92B2AB760C2921B8113A2DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:50.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA5C42D48E0A6D067D80BD200FD9545,SHA256=03F232795746156F9C06CAD6542C6A42E95329B75FE2832C59C345D927362F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:50.312{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA05A4B873DA0B065FF36F441C071C0,SHA256=A86570AE3322E1DA4B9F964DC4C33A2D1804838391AE80B8B6AD156C5E4DE274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:51.827{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDC97E3134DC95B3D45C7F2C8AFAE42,SHA256=52C0C15B310931D138FC928D6D87312C144F095789334AAB649C7BC6A292DCAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:51.322{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4631D99E1C69FD41FC09786302425E,SHA256=52D24B538A88EB3A79B14AFEF6D02957CF30B08F035C6F17787F4759A5829E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:52.842{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B724216F741971173F7440B091B6A737,SHA256=0A221D933DFC6C17AE41D9ACA17E479F35064EFABCC13AE86A77964005685CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:52.334{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05E858B1BE3B4616BCB8FDE4CAE58DE,SHA256=A2D86BE138171E3D07E23243A2E90008C538B5649957F4D371406E7BDB50BCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:53.843{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C02861FC6AEA3A2E86861A904477314,SHA256=5AB9E9D8AE4EA00B3FF256CED16A69855C174029C92F6E56FED9FF6205276E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:53.337{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E339845994C2F2BF6483D2EB9E0F66,SHA256=080770C03B2D7F34BE6673B2EE7AB84D16B9DF32E1EDB0541B9CD220941D29D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:51.545{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64490-false10.0.1.12-8000- 354300x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:50.876{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:54.880{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1070B4D0DA4605A6B7A7FE904D8FD404,SHA256=4C460A4889F0D3FFB64E0661D1D0C04652C17A9657D480A9C605574F2E2C27B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:54.352{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF9F31919473BA4C09D62E03322B2,SHA256=874FB22FFFBFAC9EADE5B077398593F1F89974A605764A39AADCBFBF9A82B796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3B-6112-6208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B3B-6112-6208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.930{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3B-6112-6208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.931{82A15F94-5B3B-6112-6208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.899{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2D2C7CD7139DF3DD96F4C58053BECB,SHA256=67F2AF47312A413E4557C36BDD79FB5C53CA1AC09D0939C268AF1F797B175388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:55.368{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22165DECEE2E1B9AE8F8109744ED1DF2,SHA256=AECA2476D42B7B9AE1F5AB720D47B7FABE4FDD163BE2742D3B473FBF44CBF391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3B-6112-6108-00000000E501}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B3B-6112-6108-00000000E501}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.262{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3B-6112-6108-00000000E501}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:55.263{82A15F94-5B3B-6112-6108-00000000E501}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:56.383{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B3CB266AB205EFD5F6D284722FF376,SHA256=0DB88C0A6A3DB6CF755CA48D0BF0801A30F94E9E5204AEF22B9456DBE9A939C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A092763430578012855B0AEA70C806,SHA256=C8FFC5F51ED477E3DC77EABC9956159964EECD6BE6F671C90147A8A155010533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.914{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3C-6112-6308-00000000E501}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B3C-6112-6308-00000000E501}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.599{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3C-6112-6308-00000000E501}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.600{82A15F94-5B3C-6112-6308-00000000E501}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.283{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DB98222B53B772B844B2408BD48C1F,SHA256=47D8E38625E37AB2B09310DF9DD3013193D018057E62A99415A56192B50CC583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.283{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9487AD98B55F19DF16752C4D03EB7B40,SHA256=72AF46DA97A06DE4438777D661BB5681AAF49341A9F954AE645B16E89A2095B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.130{82A15F94-5B3B-6112-6208-00000000E501}61726208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.982{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3D-6112-6508-00000000E501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.980{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.980{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.980{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.979{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.979{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5B3D-6112-6508-00000000E501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.979{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3D-6112-6508-00000000E501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.978{82A15F94-5B3D-6112-6508-00000000E501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF74E24023597A6806DEAE1D9D96DDC,SHA256=644B72F30E48D32CCBBB582D834396A223B5F707752B08BD232B33D09AECE3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:57.399{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA759F41EA38402A4C7F05773FF42E,SHA256=66E45B3660D57474244C5ADE70EA4FFF0B28EDD25DE9B30BB172EE591E3BB7E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.630{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DB98222B53B772B844B2408BD48C1F,SHA256=47D8E38625E37AB2B09310DF9DD3013193D018057E62A99415A56192B50CC583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.561{82A15F94-5B3D-6112-6408-00000000E501}67285860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.430{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196C047EEC6499AECFDCE6B721BF818C,SHA256=6CF3E38E765191B9CE14608699751FD813698ABFB085CE8082313C74C6B06E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3D-6112-6408-00000000E501}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B3D-6112-6408-00000000E501}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.361{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3D-6112-6408-00000000E501}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:57.362{82A15F94-5B3D-6112-6408-00000000E501}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC698C148A7E75CED3E09E88ECD1749,SHA256=5048C763C065536CDD6F47243C83B6373BBE9032D4303D62AEECD05BEF7D668E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:58.415{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8A0A464A9D5D8CAB9FA169D0D9B267,SHA256=50285766F7FCC02E3D5BA25DE59488B92DF0234B07339BEC2FA74D3B5AE981DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.813{82A15F94-5B3E-6112-6608-00000000E501}31963564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3E-6112-6608-00000000E501}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5B3E-6112-6608-00000000E501}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3E-6112-6608-00000000E501}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.661{82A15F94-5B3E-6112-6608-00000000E501}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:56.648{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64491-false10.0.1.12-8000- 10341000x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:58.129{82A15F94-5B3D-6112-6508-00000000E501}32283476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:55.937{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05E3E92B76E0BA7F529B0C58088AC9,SHA256=6524FD048C9E1DDA07107BEB262C6DA05CE11436950E1679068F1D64D671B499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:55:59.430{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19FDEF34D344883DEDD86B10A6A6F52,SHA256=BE4B428E946A7C46F69E4D7DE1B086464E5D85660D219FC332017CA1661D2DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B3F-6112-6708-00000000E501}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B3F-6112-6708-00000000E501}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.329{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B3F-6112-6708-00000000E501}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.330{82A15F94-5B3F-6112-6708-00000000E501}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:55:59.029{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFEEF7986C24866A3406318CF2204A4,SHA256=D3AF92013BC5ED6FB304CF448924A0AD9D3D9CCDC9E99A26D1DFA46FE0142F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:00.979{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE0CF4978253E95FD0C88B84F902DE8,SHA256=C972C0E74D2930A381AFA96DBE08F6B1F9456F90F7D068B10AEA1C095D9C5818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:00.446{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744A13182054B655C416B094F354D4ED,SHA256=636052CA43407D7F18006608B19D5347450D8C61BC4B9348D507D7209D49E162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:00.330{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BA934C90D5AB61ABB21E5C76566526,SHA256=B97CE830B4A0C6155084F1D52CEA39044E7061F085B3ADC2435E3608EF402C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:01.996{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC53333EC4110EE5BEE6D343B11B0189,SHA256=A3E7A320BA05DFBA19C643F455BD4320F07BBC887B233E4122CE3971F91A256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:01.462{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59605C18058C0B3961C2CCCB8A3B579A,SHA256=5EEA97C7AFC7E40C84ECE35D83F47FAA027C565DD0237FD1EE9C3E8BDE8A78F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:02.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A15C8F3781C7DBF199438A5B32CDB1F,SHA256=119B99802F84A8C33BEEDC7CBBD96AF7EB59469AD7AF55D95EA79EB1F5F9C74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:02.164{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DB7ABD2F8589CFAA0DBC2479615DDF05,SHA256=7F2FC07F206E32DD0C897700FBE323822FD3F0D46E42C6A7E6DE38EB48DD6307,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:01.984{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:03.477{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4948F99EE93AA668C5687FD072C22F1,SHA256=F20FDDB22457A43294FDCC215E61A019BAB5BD636740F7BBF12E9BDA7600ABC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:03.011{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E71900CCCD399BAAE9CD37AF5B4C349,SHA256=C57D1253078A37900AEF95DBE92A493287DAB5F53B3DBCF0E78D808E28AD1524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:04.493{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF20DED1CDE90EFC4A713B6168022901,SHA256=DFECACBF34E30E093B7FA36E25B120AE6AD663F7C64C152C8DF00D5FC8BEF9B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:02.530{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64492-false10.0.1.12-8000- 23542300x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:04.019{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCAA1824DECA35C1FA106BF69CE3880,SHA256=7E2242E37912D5FD96D6EF50D9D4C843ADAA6508B1C9E9F5EC6D9C7E2C4AF6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:04.055{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:03.812{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51612-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:05.508{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA614F43D0C4AE315CE0421B46DD0A9E,SHA256=7C97B99CBAFF02315106EE6FFACD1AC684B429FE2764BDCE5C62C3F3945C1D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:05.035{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8B06A8A4B1421722C344A0ABB69769,SHA256=0C97B97A51BA5208B0E32F6C93676BB6548FC14020CE0DEB08FBCAD473243E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:06.524{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F1EB6F4D73A1EA00CDA62D503AB80C,SHA256=3B3E878AD53776D0D592CAE75CD7CD264F31E6E55EFFE51BED2AEC83730757BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:06.051{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B287FA74D957B91BD15A3F2B5608EFC,SHA256=2D7773B75B3D55907EBCB5D03985EC8C779C25AB3493D1237A0D35BD076A86B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:07.540{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41397CF8A2D5A309891D394EDB9DEFF9,SHA256=B3EF3941BDD5B9D939ECA62535BF694153712BC594B50A45628BC1A111A07781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:07.582{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:07.582{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:07.051{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A03037CA2DC1F7B6B6EA62AFE1FFC32,SHA256=447479E79D8EFE66D5F6984778F34175E26803C10D63BC8C877E853394BC4847,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:07.015{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51613-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:08.555{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC71A876AE34CC00DFD928300D877B3,SHA256=F026162D0406993A7BDCC7CCA730282B9C657C275FCF7AAE8BCE0A405237298C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:08.083{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20EBF6427EF3499C467A9720215174C,SHA256=7A6950555422B1A4BB35CE7B4273482774C7C9D74B7742880010F8D41AA72A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:09.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D235BAEC7B02BAD81A84919E050DC,SHA256=B875269A3E79687B4F94BAD6C30D648E57D84B37FEDBF552361885E5B1EE51A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:07.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64493-false10.0.1.12-8000- 23542300x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:09.098{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DAB9243FEB2DC47274B3424C09FC8C,SHA256=C44D507C8722BFD4F3323A5A2CBEA7F45F7F28EB9F541489F532C9E7E82C4C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:10.576{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6236B67475308CC68942C0129860701B,SHA256=0EEF0089815FE36B3B55DC4D0D39ED2317D2A1633ADF8FCF1DA00D93A292CD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:10.120{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8208D27F6B9D9C8BF8CD0F8B867328,SHA256=683B43562888AF86EF5A6DB2101FEF059319273E46DFD2DB7588710044F7D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:11.592{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F189FC44B174FDED11E36B0404FB11AA,SHA256=E1E4AC025F9F3B67FECF68EB69908BEA23AE478718E6A6B6C89744D68FF88CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:11.135{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF5B00B8A1FD0D79AEFFDAB2B3D30C,SHA256=30439184503666D2F0AE9C2496CC84993FD1789A9D2B2E6D7A3BECE1AAFC3994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:12.592{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A36169D63811355F593CFF76EE65313,SHA256=27A8CB0DA34C82B2F0A332BC88E509897DEDF03F50396C846ABC01E12FC3CEC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.634{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.634{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.634{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF97594c.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.618{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=D2BA745715CA92FB60B2631E1B73C220,SHA256=2213218FACC82923130A8722097AD62FD903085A3CDA0466DD6FFB273451687F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.150{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B923464BA7B0DA101614A4FFEF999B,SHA256=76947A48C922B21B5FBD2B47526FECE3681697372A5951E1D048B1F207EEEEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.889{82855F7C-5B4D-6112-D406-00000000E601}34202684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B4D-6112-D406-00000000E601}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B4D-6112-D406-00000000E601}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.686{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B4D-6112-D406-00000000E601}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.687{82855F7C-5B4D-6112-D406-00000000E601}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:13.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D175620C03BD508D0E40226D9E3ACE,SHA256=3D1A4FF5D53234A89501088D01AAAA643FFCB2A5386086BFE528CD29C242A39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:13.164{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07BD2908D0DE384C6A88FD59361F9CB,SHA256=CF57E10514D1FF690B842068DDEBE5C8C07D26F727DC3D56B90F278F51B7D62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.858{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8E14D4A643D6E102B123FA53EF0AA017,SHA256=8D87BD9E88F4835FA602AE67441D6B8276583543251CD5C640C0C3C32C3AEED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:12.989{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51614-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:12.649{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64494-false10.0.1.12-8000- 23542300x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:14.195{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637C8819094A8C58B53D4BC709EC8CAF,SHA256=EB6005BF8F00B39CFA94899175AB42DEBF4849F98405808EAC9DBADE50B06DDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B4E-6112-D506-00000000E601}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B4E-6112-D506-00000000E601}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B4E-6112-D506-00000000E601}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:14.358{82855F7C-5B4E-6112-D506-00000000E601}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B4F-6112-D706-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B4F-6112-D706-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.920{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B4F-6112-D706-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.921{82855F7C-5B4F-6112-D706-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.858{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE261AA735EC8FCE6ECF45EB9EE2ADFD,SHA256=851A8F1ADFC8D03DBC043EFDA219130B1DED49F79AC49E204E6C418A5CAFC760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:15.213{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D46943A96FC94BFAB68D4B663DAC20,SHA256=D8F7CE983B4DF26F7834C21EAB05A09385DAEE8BB17BC7E8285036AAF6AE5A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.108{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDCF4A8252E4F29C7E3537D16291571B,SHA256=7901947FA14BB81E20B17BABC6322F1EF0846BDD6CA2BBB51536DDFA85E6EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.108{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B50D6268CD495A8EBCD7954C27AFD41,SHA256=B4B8B461C6AD15BCD3DF3DC499C5265101ADD9D758A31250DDFB3443918C865D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.108{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C3A27A0EE12AE085D2D230A0C5B9A9,SHA256=90CE8FD8B836A460A4C4C1785E8F9C56D050EC2E6FDDFF911B7140143AE638C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B4F-6112-D606-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B4F-6112-D606-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.030{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B4F-6112-D606-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:15.031{82855F7C-5B4F-6112-D606-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.889{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48CC264D175941270F32CA1666CD7C0,SHA256=4C7DCA8A2BC79DBB4DDDAC27FEA05EA888405FA20D90E7D2EB6F767C21F12AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:16.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BAB3C1533AD7FE3C9D1F332A82BBE0,SHA256=B071BB3EBAD83B42EBF9C502FD2162DC9288A7C7D7568AABEC186B5CF2888A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.764{82855F7C-5B50-6112-D806-00000000E601}9563560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B50-6112-D806-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5B50-6112-D806-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.592{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B50-6112-D806-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.593{82855F7C-5B50-6112-D806-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.061{82855F7C-5B4F-6112-D706-00000000E601}15723408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:16.061{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDCF4A8252E4F29C7E3537D16291571B,SHA256=7901947FA14BB81E20B17BABC6322F1EF0846BDD6CA2BBB51536DDFA85E6EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:17.262{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CFD59303D376D7115852307F20120D,SHA256=41F056D8DE45EA096FFDE86ACE8BB31F5C77FAE69F8F2011A3B0183FA567FCF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B51-6112-DA06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B51-6112-DA06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.936{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B51-6112-DA06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.937{82855F7C-5B51-6112-DA06-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.608{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F32845E676D0DB55B0E75ECCC8C22D7,SHA256=DDACF2C6A93FE04C29DF889A588B04FAF79944B92E2C02494114CF830729DE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.436{82855F7C-5B51-6112-D906-00000000E601}2056404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B51-6112-D906-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B51-6112-D906-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.264{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B51-6112-D906-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.265{82855F7C-5B51-6112-D906-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.076{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.076{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:17.076{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:18.661{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:18.610{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:18.592{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:56:18.592{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.23.76719547C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:56:18.592{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.23.76719547C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:18.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6ECEF03EFA5E02A2659A2E7F0FCE1A,SHA256=88378EE5AD0E72F3AAB1EFDD9210187C97BC0ED1C150FB26FBB483F7C0E3727C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:18.983{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CC15651646D11561EC2A129BF00E2AB,SHA256=7911501ADAF2FB98E28F0CB46BEAB9537EB2376DAC3265928977DDB385A6E1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:18.030{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F9602A1A0BFE39CC10169FDC6A83E6,SHA256=94B783BD651D8093ECD31401CB219E2C316D466CFFD6C6FB14F9DD8981D51BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:19.330{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744CA4B61B0E412FBD09C74546BDC6D7,SHA256=EB4076E3C54BB3AADD1D513937F540129D84C5C7F17FC45520AFB4B05BC751E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:19.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED352D9B80E6C63E5AA2086EA9BADA74,SHA256=A027C64324F9844A9394A28F13CF7908FC388DC6C056E632C147458F2CD66C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:20.061{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE639C21D11D9919A1E3D5DAB97DFEC,SHA256=1C66845BA9CD8F08E5EFD52521247F3357CADD7FD08AC07946A2D2DD3F288F0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:18.580{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64495-false10.0.1.12-8000- 23542300x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:20.345{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47735E139874543C588A558F654A946A,SHA256=8456EAAB03BC9AC274C88E12F8F130E324FDC81BA991453FB9E298145DBD9110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:21.108{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E8F8BE9ED3EB326253B2647DA508F9,SHA256=C053992848B45B1B3CE8FBA32C4FCEE8940B752D2D70D4EEE8E0862D5801C84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:21.360{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14CE2FB83995924D96BE96E6F3158E7,SHA256=8F0D11C41EF74CC181D0ABB467A0BB45F6EBE86932137BC10202DBBC43396446,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:18.945{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:22.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D8B72FB77417A3ED67523C54CAADC3,SHA256=FDF38946D40D33BF7460A1066A33E564F456C7D42D11CB051659E2EFEBB11A24,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008ff092) 13241300x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0xf94f1b88) 13241300x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0x5b138388) 13241300x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0xbcd7eb88) 13241300x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008ff092) 13241300x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcd-0xf94f1b88) 13241300x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0x5b138388) 13241300x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 10:56:22.748{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78dde-0xbcd7eb88) 23542300x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:22.123{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBB38741F2160A13461C9391A5F3F56,SHA256=A5C6875B3D4A30909DC170B190B45BA6F915A5D20233C180380599874D8158BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:22.344{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:23.391{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BE47FDEB2FD9F1A31A35827959EB53,SHA256=7A4F193077E061E09B74F4A63210A587C68C93AAA2E0280B02434F01BD0B5254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:23.155{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9659751B3B5830E9CB21D4F93DF94,SHA256=D2EFFA1A37555A8BB606D8E5CA710DB9E186B2783E3634B34500628DC1A9DB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:24.408{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36A7A997E795C7531F9685D2DA2B206,SHA256=3DB98ADEC6512BC5B800C7D0061F9FC939C45AA8B0D242D62FABB79CE73523EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:24.170{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F042C0681336483DB9FEF9632D6915,SHA256=7CCBC8076799FC0BA03ACA3CFCDB9C7B9F4D78EA1CE7F32E8E27CE1C1B3DD148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:25.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F9E7C4892654F7004B562CDB6ACCB5,SHA256=19F3535EB538DE5FD406A60A1AA074EC3B85F0D3929B4CDC7711A10F436F3A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:25.427{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5F70ECE69C92830A01AFCDA3A00A91,SHA256=28BF781FCB1DA9E14836BDF17A5999EDB8582AB71837B1C7F994AA34B6927D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:26.442{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F732EAF9837C6A06509E0E523E9423,SHA256=5A2B18C274C26A2035EAF68F43B80625D22D55AEBC47206664374D47411229B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:26.248{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1806113FF32A7A44A99BCDAF5A6EE6D4,SHA256=4372EBD4232BC3F4226AC90FD6B4BFDAA2C3D5F0C5CA2CA451290C1DBDC79F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:27.459{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E948FED6F50DC4D330C42530873FB30,SHA256=5251CE97C520A65194A6E8981E1DB2650FF3891F525273D922D7AFBA75B3FC40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:24.973{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51616-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:27.248{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863939EE9BF29926875AC3424BF5983A,SHA256=F1F5AAED0FEB158D4EB093474F6B2185918C6BCB1CD30A867CB8A3E88A9044C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:24.492{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64496-false10.0.1.12-8000- 23542300x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:28.474{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADD0E814C249652B7299A99ECCA4C45,SHA256=B8DB2C638946EA008ECBF5240F5E7BD3BED51E7469863E4A21945FA3F4FF9BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:28.280{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912F9058673136AD9E4F9B8D10BE58F0,SHA256=53E69FD5CFD193C0C8F32F1A3EA8DFE4C07D08055CE097C8E8EB5FDFFD95DD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:29.490{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CAB6AF426736CAA1EC2B00E492B421,SHA256=400E4193209A8C2F18268A1ED6DC6ED1357450712B23CF8238A847D0F9D372B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:29.284{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC2E6A06343F969A1444C3083F5B3BD,SHA256=71A189A9C6FE18674E046D04D21774ADB8D8337A1F873DD10E13FF8FAE198157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:30.299{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF5163307B5BD56EBF56B708E732ABF,SHA256=E0056B655286FBCDB10033FDA557716D28D506FC73231ACECD138ED85E3FBEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:30.689{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:30.507{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6B6576E438255C37B9C2465ED9B71A,SHA256=C5C2D02429BBAD3023F6EE58578481400B7567C42CC53C7FDE8E36064203C0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:31.527{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8C982D7D6144630514C1AF79A86D78,SHA256=50B26734BF72C591BF7CE678F5BE04F2BDBC4BE5A82EDDFED3EABE5983ECC503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:31.315{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC70BC040FD29AFE4E8D808C01BDDC8,SHA256=7C0F728FBD873F670F6E5BACFB2EBBF9B396BCE3A8CE7897B4B0196BEED4BCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:32.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B2EC465473D1F920A2998BE0EC0FC7,SHA256=88B1649DC26DED35475B812483A90F64A81BD83113A7D10F018D76D2216DA2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:32.315{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD1797848AA77290426E8957C6B436C,SHA256=3E77CC79939BF8C971AAADDF17991E03361CB3D9F6CEB4118E7B0A72BAF14C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:30.977{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51617-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:29.592{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64497-false10.0.1.12-8000- 23542300x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:33.330{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36981F03523475BC78442514220ECE18,SHA256=08644A7EB6645B11142A33212DE7AB16263BC72240DC172444FC3AC0BB79E4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:33.711{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:33.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6501BF7AC10CA04D981BB52FC4EF5C,SHA256=DE5E97DB37DDC15B28F64F09ABACDD449896023601F84EC8C7404CE643832A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:31.461{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64498-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:31.461{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64498-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:33.041{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE6834A87E63371F8ADC02C83DDA5B4,SHA256=2D4FFE302648B1B8D28703CB37DFB1A4A51861B023A1DC4A9846CDAECB508D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:33.041{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29A655B1F2CF36BEDE7040F0DABDE137,SHA256=26F59A4AE85D553CFFB211F0D4C611E8F15EDF9BE1049F172280AE478993B67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:34.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4863FFF056D2E88BA6DC3AED7271572,SHA256=AB41BD86B1E034EF657A550EBCC86E8A99BA5FB9CF7CC3A5AF253E8A41D8CE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:34.573{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9024823173DEA5F01D7AA48B62FFFFA9,SHA256=48CECA95BD4AAC8A6D7E71F812F2353887D8F81DEBE103A0E95EF9F1C5FB9C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:35.588{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78214AD66A64AD566ED9DF19207662E0,SHA256=D0E0B8E29A804076795688757FDC6A741CAF6685856ED96C3981BABC50AE9347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:35.424{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE9AA6446D4978DF606F49DBD12D0AA,SHA256=70291335CBADB394BED5789FF92B00016354DF00D6A83538003C3E2548CF2956,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:33.123{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64499-false10.0.1.12-8089- 23542300x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:36.605{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60993091506886406D9614B2034FDCC6,SHA256=7A2491BE8441D26E2537F4AD7AF9EC607410444A8B63CF33875CCFED57EF05E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:36.471{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEDFC7A60A4A4609A3AB8D5943CFAD9,SHA256=781012D3587F9B5654D7488C86DE4EDAA48DE1B18C71CABE49363392E959B9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:37.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6854B7A7059EDC703D25B79B64A84D67,SHA256=531B34BB15D2E4E8C82D7AF6FB3CA3C77A76766729B65905D574B9D4A3CCDBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:37.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D523CE5FC32C0F8F85DB621F164115D3,SHA256=500ADDAFF0BC28636A1E826C1CE3FF44479A1D155E5C1C254BE1DA8DCFA3624D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:34.622{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64500-false10.0.1.12-8000- 354300x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:36.930{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:38.502{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59855F69C067C537957370423A915066,SHA256=E0EAEA981D202CAEA7E8212A5B1E53F9CC8D82A92495F5E148C94EF7FF237F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:38.656{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BB50A86B8B1482FEC8FA3594EC129D,SHA256=09FF4182500BA9B798B6684D9C0878686D30A7F1399FE584FF9DBBCB026761C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:39.565{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C26A7D425422D8B4C7D5FE7660B9DA8,SHA256=963D903A4CE26F734E63E3CCB884C3979D7C4139F772403580D3051D03B37D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:39.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CD58EA6F5896E3AE62E35DB4AEEB33,SHA256=8FA5F026331A556D2D57FFCD6AAAD70469B33BB0E5AC646FD9ADBD970552D2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:40.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C153DCDAA8F57115C08328DE27C59,SHA256=9B7D0863447603B7CEE97818367D0A6EACF6E1F22CF85CB625581F3C2E5A0590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:40.580{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD65268ACF475537BCCCC97A11F9CFA,SHA256=92C8E2DBDF7004DCD1E2C9315FC0C628B5431C5C64A8B6568A1CA1540FC1C881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:41.704{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA0A9C9787E867731ED6FAD4DA49ECF,SHA256=CC422F1FED5D665E6E5CC5B69B6BC80CD90316A79B1DAD012168B129F2DF17F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:41.596{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727E26B5FEDEE51966AD22497847BF21,SHA256=7857CEEA86355E762B7DC07B2F03E9A8C6D8F7E97FD7E23B8B648AAF666C9A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:42.612{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2313624C41064AEC98F13A76C71DD7CA,SHA256=568FAE10C31A31AC01970AC55874BFAEC1A8DF9956BDFD0D69DD9687B1255493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:42.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866FE9F125B1E4DBA058A5D14668ABF8,SHA256=164434E8F4148427FB400A90F8E1C8A752B7B213742081FE24926EB29C5B6C07,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:40.574{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64502-false10.0.1.12-8000- 354300x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64501-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:40.544{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64501-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:43.659{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604EC4A2AD6E1D87C2CD96D11702DD3F,SHA256=55E2CFF414383F1F7E60CADC49E88CC9B36CF46CA6A669F96E565A49F55E2BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:43.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF475F78AA80206F27D964C2D9108F2E,SHA256=ADA7BFA42A3F9D6E096CE2F73BC05AC3FF4DCFBCB4E1D6BF6B35361C58EFB606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:44.753{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC6046D35323B43552A23B004222932,SHA256=85321CC3D9E1363F094A0B765510BCA15C07E6E0E5A2ECF6BF2A31FFA5861DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:42.931{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:44.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05392EC41B69713C11BB2175E760A208,SHA256=EAD1D8D14A73B6745BF5EBB4C8BEA98CD2F444DE214716685E3B70ADB7CDA5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:45.783{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D13D765102AA6C5E9CD4D906857B04F,SHA256=87E9FFDBAD089F0EE0D61797BE53B38E030CDAF43C133934C5808387C26E9FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:45.705{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F200CF0D19ECA4C26D69E75089D6E0F3,SHA256=D01990D658953D74CB343304A25B1AFAF9127D5FB99278699C20BB4EF0DBBE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:46.800{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F584C248F3168721947E6FADB2BC44A,SHA256=271C0E5F154FBE4949DE37C9E90525578D5951D795C2F6F70045F5653F9EE39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:46.721{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933E2ED46D74091BCBB81809121D6EF8,SHA256=DB899F841EA0BD32457BEBDE006269281DF64747F179F7B79F2FA0C4DB23AAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:47.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C05AF8157B57F553AC108C539C268B,SHA256=C3A00D106E0EDC77E92B37676F5FF95912AD0C798B4D8C412BB350C28A9BD6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:47.819{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E22564FEC80663181731BA2341BC48,SHA256=A2A19165A5186B75DF3A0BA299D445D7372ECD004FF89AA3C26AA3676B475106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:48.768{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC9D414CA280BABF1B3E00098B7F5CD,SHA256=367B3127FB498762C26991800ADF828D24B0D2BA3B7BCB7CDFBDF2063FFBA580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.834{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7A06D1CA7C6154C34601504B0B5059,SHA256=13AD6F80DFB892C19250864F48E4AA3F688A52826DEF5CDF9BF329BBFA7E1C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:46.584{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64503-false10.0.1.12-8000- 23542300x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:49.849{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B3DD22B96EFDE6405C00178082F303,SHA256=CCDDA22ECBEB096EED12B90E825D247E6165B267BECB16ABCCA095AC09B05011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:49.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF75B54DF97AD952240C0645E8BB3FD8,SHA256=41827C98FA8BCCCB74AA4619A8F08AFB9614CDDCA911956CC77489CD2F5F1C87,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:56:49.334{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:56:49.318{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:56:49.318{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.864{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AAAE059847A95E30C99BDC28B26C96,SHA256=09729C29348AC676747A475C34027FBD537E6B1D8B8D5B3C939E80F22C49302B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:50.848{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3792BD536A5E246D32510672E1819FD,SHA256=0CEAAFF60AF1C2C71100359D938B17A28D9308355A0FD5D48F20C5BD3A83186C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.776{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64506-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.776{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64506-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.769{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64505-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.769{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64505-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.753{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64504-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:48.753{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64504-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.349{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67803AE329268C615C95D0A403FB33E3,SHA256=80768203950B345513A644F640D5FC20B67BC2B281F1D2D32FD7320DDDA73254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.349{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE6834A87E63371F8ADC02C83DDA5B4,SHA256=2D4FFE302648B1B8D28703CB37DFB1A4A51861B023A1DC4A9846CDAECB508D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.233{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF97ec26.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.033{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.033{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:50.033{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:51.879{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8F87FBB0B1EE7EF74491B82A7D8763,SHA256=7F222C4B1A3E2FAD6E4D2F7E3F866AB6AC19166D375EA63A8BFB3302DCDA1F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:51.849{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE6F28F69D678E06CA83DD181306D3E,SHA256=24C83131569BA52074B6B6257A8D1DA465BEE2E741A817039FE362FC9F0A7998,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:48.916{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B83D2207FD96C35A018CE250474051,SHA256=1DD211263E31FACAD215CA2459741477264C2712B42A26F38040B328C5ECBB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:52.861{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E323D99154FCA63617C9AFC00C4618C,SHA256=75481A8379976CF16085B05CC1AD07FB973A465628D95F85BE1B713A3948B75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:53.930{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF074756E7B66AD6EC26F15BEF31120,SHA256=F72A75DAF4A0B0FF23BF214C262F85471CF1B72E26AA2B265ECD37962E6BED35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:53.886{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EB53179A6F2C3B79162E6A89413B6F,SHA256=25F2CA8CC6A2F541D9EFD9D763A4D65D966A3F7C2E56948F1D5610FE03483C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:53.399{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:54.946{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F1FF07DD629394CFC292A7714965C0,SHA256=9182334F92969044496699C75D6637E397F0153398ED2F29C95D070B94A03249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:54.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF996E421CAC78E46E00021C78649C3,SHA256=219702150B1CEE91C992A86579C3F9B2B56D12BBFAC7AA942817EC182CB78A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.834{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64512-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.834{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64512-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.831{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64511-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.831{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64511-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local49666- 354300x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.830{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64510-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.830{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64510-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.722{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64509-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.722{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64509-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.715{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64508-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:52.715{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64508-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:51.681{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64507-false10.0.1.12-8000- 23542300x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:54.299{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67803AE329268C615C95D0A403FB33E3,SHA256=80768203950B345513A644F640D5FC20B67BC2B281F1D2D32FD7320DDDA73254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DFF6E5EA081C099A55FAA8773CEADE,SHA256=9E893F2B6FEF42EDD9D0F9977A3CB80814051529898A757F2E860AF54969761F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B77-6112-6908-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B77-6112-6908-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.960{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B77-6112-6908-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.961{82A15F94-5B77-6112-6908-00000000E501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:55.917{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC49672FEFFCD2452C691634DD00DBF,SHA256=2A0058FDC851981E3139B3A71D87DE07EE25F1041CE9CADBDF211DF1E23A9D5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.429{82A15F94-5B77-6112-6808-00000000E501}33921180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B77-6112-6808-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5B77-6112-6808-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.276{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B77-6112-6808-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:55.277{82A15F94-5B77-6112-6808-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:56.933{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B04C02C0C6EB7E2BF8CD49D753B7C58,SHA256=1AB266B6B1809893A2BEACBC6C8F2874B92A7FBEEAC8C79E815F51D897637ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.962{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F8F1EF528B2E6E9D8434269997293B,SHA256=08BED8A02CC562F7D911F185F657A35A3F591AA591B4F637DA3BA3FBBCF00E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B78-6112-6A08-00000000E501}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5B78-6112-6A08-00000000E501}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.631{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B78-6112-6A08-00000000E501}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.632{82A15F94-5B78-6112-6A08-00000000E501}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:56.278{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6D1967E2BC2F76A2314CEF92F5217E,SHA256=55A4C58129AC947B19C08C74DD569615D6DC8992804EBD36A6966362957A702A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:57.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943A4BFD35F40901D7D63310AB6E6962,SHA256=2AE76855A9AC8FAABB107D1D3908178388D55E0AAA930FE5A801EA3A995DBDC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:54.861{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.997{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B79-6112-6C08-00000000E501}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.995{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.995{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.995{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.994{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.994{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5B79-6112-6C08-00000000E501}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.994{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B79-6112-6C08-00000000E501}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.993{82A15F94-5B79-6112-6C08-00000000E501}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.696{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=858AD08322B0B0AC7768B6FAD11F0F96,SHA256=2BD4EB39E6A7D844E7EB796EE90D5F6E8918B35529E59846197314162F4A59A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.561{82A15F94-5B79-6112-6B08-00000000E501}3588928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B79-6112-6B08-00000000E501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5B79-6112-6B08-00000000E501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.377{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B79-6112-6B08-00000000E501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.378{82A15F94-5B79-6112-6B08-00000000E501}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:56:58.980{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D185CA740179E664C54A65F6D19295,SHA256=F66DB0AE204610A5584FB67C49E21DCCA76ED79C2788CCB4352D5CA910AF9EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.822{82A15F94-5B7A-6112-6D08-00000000E501}38525500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B7A-6112-6D08-00000000E501}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5B7A-6112-6D08-00000000E501}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B7A-6112-6D08-00000000E501}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.670{82A15F94-5B7A-6112-6D08-00000000E501}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.194{82A15F94-5B79-6112-6C08-00000000E501}37886856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:58.014{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70715CC40C93A1208D200B8279F4D148,SHA256=D5FC736CE01E2408C09A7F55A86D35BA30F5C29F25CD9E805594811FF4983A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5B7B-6112-6E08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5B7B-6112-6E08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.238{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5B7B-6112-6E08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.239{82A15F94-5B7B-6112-6E08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64553CDFCCA4F3FD2232AFB2758117C9,SHA256=573347D674CA927E1CDC569133270031965C271DDA71C586D717477838C7682C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:59.004{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8011DB306C71194CB9E2C698D229003F,SHA256=1C572BEFAF4D3149339119FD410E7C917333C87F3AD34C506E82A0EABD2651D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:00.253{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B4FB6DBA4978B8F36159D5F1BFE56C1,SHA256=BE5E5EEE30B40D9EF08AC64690EDFAC7C8954996FE7F7BB4E0962033C04647EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:00.053{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01782B07315F6B3A6B802F60583BE6EF,SHA256=48358AF7501E4C10ED228870079218B89B2FE2F2689CB9CFF3FD83A68A8A768B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:00.011{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862DED80461FBF101101FE5A9375DC73,SHA256=23A32E0D363259F5C96D778584BCA3E2F619F78EB28160B61AF5A46B8D86AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:01.011{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4218C50D5DF9CB950482B1365693F724,SHA256=1E4B7026D840E58659A9FE4304AD3081395B35E6B980A56CEF9BA3C5D24645E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:56:57.610{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64513-false10.0.1.12-8000- 23542300x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:01.069{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0044D4C6FE2C9B4A1049E0F0C9B8F866,SHA256=11AD68EC6118CE954689F2613642DD20F9842145F32AC9532637ECBF622DAF24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:00.017{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:02.042{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31762B1C6754E21CA8C1E493D4A9B1D2,SHA256=2CC9CD69AC0D57A79152F5E141355EE03E3531BBC4FCE9DF3507080F58AD38E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:02.169{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5628FA46C47690A12E47BA4C08A952BB,SHA256=25276C01EDE6EB8112962D66EB2BF682B1937547AEAC836393E30360A85CA08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:02.069{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD728F582B070D75DDE8F602E9FB297,SHA256=1FFD029092CE9CA2D4FD07963110D7B05606C597E95EC220FDDDDB3F6176C69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:03.084{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA5977738A2F24F782C8B0717A814A1,SHA256=0CB3346F2CB8F4C3EA51EE0D43A41B273ED5F69B3E92FAE6C67B0B32D21EE414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:03.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDE22A9417E03D87FF1BE9EB79BE676,SHA256=8BA9B8D4589B6926632480A61CF346BD97CFE5D96CE160CB4A760A80A80A5805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:04.101{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D3D90FCBE8AD0D33A19F1EF67333F0,SHA256=0911436A758DF3F673E41BEE784BC8845F7E55587CD15DEE6B73608FD4508AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:04.074{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:04.074{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80645FFE262B80029EC63EADDA6EDCBB,SHA256=35FF1B718F1E778B264BCBB2F9BD80ADFF390620E66A9C93C4803A9DC0B00DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:05.227{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1DF6F7E7A9CB9CCB82F3915F6CC01B,SHA256=6760DB3B70FE4F3F405862452DEFD300214AADBF6B9AD7C5D42C99808C6E5CFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:03.830{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:05.089{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2474922FD82EB1A94384212E0828FC,SHA256=B313778B5A099DC120B36FD4EA702963C07DACA1933E3C60BD10523079D08C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:05.127{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8D57C6B52D40E727FB8B76F85AA0871,SHA256=11DAB7ED210AFD68718BBB92F7F873DB03E4008C9D8351657DA4008599BCB2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:06.289{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F7EE00DF6B34C4341AA9E0ECEFC114,SHA256=3B26C1F60B439C02E343B459897E2E46F8178445E1E4B217449871C66436F5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:06.168{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCF52140C7F5E3B1C290ED74D017512,SHA256=A023C3D2373BD88EA571A8F4EC41BF981A8D35C24371ED0C530AED913A1031C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:03.602{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64514-false10.0.1.12-8000- 23542300x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:07.307{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7684B5ED9FC0A8CBE9341CA021DDD9D,SHA256=AA986A09F430DA9EB9A4E00113F0E13603E053D480296ED2F16F11BEC77BC674,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:06.001{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51624-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:07.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CC485BBA4A264705F97AF20B692BF4,SHA256=00A709490712E703688C47FCBD2B31BEBC1D40CF71CDCD8D38664B55E2FFD3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:08.325{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80416E1C2D40E825604506773FC23574,SHA256=21156F260EF34F16F10B6486033E0DB059764F5F81176415A3CD86B921D12640,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:57:08.325{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd6-0x769d411a) 23542300x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:08.261{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3CB00D7048CB3D7A3A46E85EB6F3B2,SHA256=9C36C39BBB69E2684092441B4544C3B72AB1FEFC57D13D78768572945F90CE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:09.346{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37880A8CD495793D07D1E6C270D975AD,SHA256=A7994C611E6D62FE11D7835E1D9BCC474D6D2D642EE4313F4704996098E4EE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:09.277{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DED1261922E2B26873D2F9AA4A5A80C,SHA256=EE2CBFF3A0CCFC7A39C5E4A74841AAA9EB5FFAD6C49F29DEC997AE86AA004768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:10.361{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3939BA0296FCE90E14D3E26E1AB090EB,SHA256=9A94691E6069627B6BF9B5AC7D859066EFAB749420D89238CA84A108AA803208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:10.293{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F34AF1F741089798AC273828040338,SHA256=7861F5FA85DCB24563DB3F6DA0322ED6393A5259340C801F3B25D88AC9081BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:11.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DC73DA60DCBF582696DD7CFC97E36C,SHA256=95BC0D2160EA1B95D1802C3E6F5E20BFC73A0A5F662E5CCF7EF8672B2553AC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:11.308{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDA2CF4C3AFF3A31BC42FA893419134,SHA256=D4940C64DA748BA7BED00832FAE5B038C0EA2DF6A92BA3A524A2B049DA629400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:12.406{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B45E79AC9CBA62C986E1B891487146,SHA256=E00EA0E22FA436DCCD78522EBC1C8B7E0A6AC417A525ADD4243C9369DCBDF7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:12.355{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4445A378C0C1EA39D83CE56D549E86F9,SHA256=C5345F06A500007502557817590624A728025CD359BBE9AF02F57F0B4A07CF41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:09.610{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64515-false10.0.1.12-8000- 354300x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:11.939{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B89-6112-DB06-00000000E601}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:13.406{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573BF241667CDA1649578C55CD889728,SHA256=6C22F1518EAE41FA3E25A04E745E3AD0167A758F9DDC092335C20A76ED4DACB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B89-6112-DB06-00000000E601}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.683{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B89-6112-DB06-00000000E601}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.684{82855F7C-5B89-6112-DB06-00000000E601}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:13.371{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BE506180A8732B49FB57F135B204F3,SHA256=728C1B09C2B4F4BC7DAF8E53F9E42635484D4D3E3826799EFECBC9DE81CF5C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.902{82855F7C-5B8A-6112-DD06-00000000E601}10602484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.871{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=78FE84748795993E8D46BE40E1E2A38A,SHA256=BF14D6AFDC8912E52F3045DE3A780BAB1A4842392DE0EB335FCD230A3CDCB60F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8A-6112-DD06-00000000E601}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5B8A-6112-DD06-00000000E601}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8A-6112-DD06-00000000E601}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.762{82855F7C-5B8A-6112-DD06-00000000E601}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.683{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C4F5C88D742B0B8E5B08557EE276BD,SHA256=CF8209D27AC6FC6A48033E104634BC84A72ED6E96A27CB8A5D5FE711FACD59DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.683{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFA089115CD1819E9A38A770960E9A2,SHA256=6AE119C102015A6ED97032E3FD6DE2CCD918B76BE0611CD1C8D5A3C9E950DABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.543{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC0A076BFC58C9EADD5A94C584EC5B7,SHA256=ED00C6F2D6D34847D574667DF320BA56AECEECB4EB9D56646110659EB6FEFD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:14.423{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DCE84DA87AEF8606F2700CB003349A,SHA256=C8B2141DA1D3D8E91C0B15211879B649DD206993C4B5F41624A1E2C015D11122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8A-6112-DC06-00000000E601}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5B8A-6112-DC06-00000000E601}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.183{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8A-6112-DC06-00000000E601}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:14.184{82855F7C-5B8A-6112-DC06-00000000E601}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8B-6112-DE06-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5B8B-6112-DE06-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.902{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8B-6112-DE06-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.904{82855F7C-5B8B-6112-DE06-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.762{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C4F5C88D742B0B8E5B08557EE276BD,SHA256=CF8209D27AC6FC6A48033E104634BC84A72ED6E96A27CB8A5D5FE711FACD59DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:15.543{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD8054F21776F8FC3C078600625C3C5,SHA256=DFC7FEE04BF2F239644E5BE897F93CC235953C3018317E6362D58850A45F1A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:15.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087D39E6FAB19B7F49CDBEB5800D0065,SHA256=D9D4B127EAB9F0E1077653F08A7CD242044737A8546AA8D4FB5CB2A6E4E1EC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:16.473{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00658C6AA83757F366B61E8667C01F5B,SHA256=069F7328D020A5DA26C65F50AB45A65E05BCF19E284E03367FE6C89DC011FD8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.574{82855F7C-5B8C-6112-DF06-00000000E601}21923948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8C-6112-DF06-00000000E601}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5B8C-6112-DF06-00000000E601}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.418{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8C-6112-DF06-00000000E601}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.419{82855F7C-5B8C-6112-DF06-00000000E601}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:16.184{82855F7C-5B8B-6112-DE06-00000000E601}33241660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.840{82855F7C-5B8D-6112-E106-00000000E601}17441372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8D-6112-E106-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B8D-6112-E106-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.683{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8D-6112-E106-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.685{82855F7C-5B8D-6112-E106-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.621{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C135A8CDC721849F203CF58C107A38EC,SHA256=103CC47D27C3A681887C926091AC9217E57278A444EA96A7D261DEE0EE8642CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:17.503{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1969C95433CCEFC0A63E049B408E3D,SHA256=7697FD3D6EDCB7848789EA4CEF6CD54846E178D01E2FD2C42E28074B314F71BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5B8D-6112-E006-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5B8D-6112-E006-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5B8D-6112-E006-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.061{82855F7C-5B8D-6112-E006-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C709DC5D6FF1BCFBBB77865507E16AA,SHA256=B61D20564F8F1B45F7C446B0DB8AD430FE390F2EA38890ABBC480A3DEF7348BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F15032017310B0480A9F17498717F0C,SHA256=C0E2AB3355D073D0F04EF3E5F28D32CF0CB556F1B9191F542F5E716026853A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:18.637{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F5B8B511CF81FD7C8EC5462440B6DF,SHA256=BA44C03A1B245B545BE1E886CD758DD13C6F08CCEDA22D82FBEAA9FB9CB56601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:18.671{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:18.624{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:18.603{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:57:18.603{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.64.110119058C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:57:18.603{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.64.110119058C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:18.540{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338BA136BA1CAC489342329647D1A472,SHA256=57BC63113C851B833FCB841AA7ECE77403C39D9E67424FD203AF1800A26E9204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:18.121{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DB74F45A2E6D18AA657373227021C0D,SHA256=3F12AA4190C6EF589CF9975773D8F80BA43C386C522DB7922595F35C132E8A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:15.576{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64516-false10.0.1.12-8000- 23542300x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:19.652{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6224F0AEE6D43FE198D4E5E2E81333A,SHA256=0AB77711C30A062487E68CB2889C462943E5749B97BEDFD19457066C15D4C330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:19.571{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85885963073BC2502880541F6ACD5E1B,SHA256=67ED8DE62B5A2A0DDB8DE626ED2F48E85E55299F3A548F5BAF76ACC76E7216E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:17.018{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:20.746{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9ECE6F56A38C793143DE1ADBC767E,SHA256=3E4B5D15931629AFD404699CFA83665E8DE404356492ACA9FE2416C8F9B0D97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:20.586{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AA4DC1525679474AADCCE9E1701C0B,SHA256=8E740A3ED910B487B35E88644A6118929456323C8561C8B37E9890E0C10EBBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:21.777{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8694F8183AD51EF5BA02503A974B56,SHA256=EF0BE6D0365349C3C10F0DE98FE399724621CF4D380F863E5DE5C89F59E27C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:21.601{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67357291A0788F386CE92270F411BE4A,SHA256=D5068194F608EDFA1A8E04B87451DDFD66091D647CDE725F36FE980E192CBA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:22.793{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1A38EDA0DAC759EAFDC944F0A853E9,SHA256=CB665A9877942C532F4C12F78FA636136A59397BED3F083337B6E03148730D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:22.619{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5DE8A46AC16E523563C5BC1EAFC89B,SHA256=D6418923DE43B15FA1E5107DE6166A88DAF4F393EE3AE698FB745063074D9A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:23.808{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62628712690C304ED60B244B843D4EE,SHA256=6CA5895CF94363110F2A8F3F0F9FFCBCADD1604E4FD8D18CAEA4746D37AEF55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:23.637{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84014561A0CB6F63A179E385CF61ABC,SHA256=3F376524D986E827F5444F6F062820BBD03E309B64DF40287B03E861335C03ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:24.824{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DF12FE39DAC92FD87935DD4E60E01,SHA256=0A35F206D9191FA5FBF8E7822041F22EC8422D22125ADC90C41CC4E2D664ADD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:24.652{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17805BAF993F45E997986C8401CCC793,SHA256=2B2FA6FBE568BE3D9D63D27A3AA92623C1FC0AA87CFB863EC9649397D4FE1F8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:21.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64517-false10.0.1.12-8000- 23542300x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:25.855{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D745EBA5810CFD38C3DD6A17D54BAB63,SHA256=51F057AC3EB32EBBA117DED39ADB2E8A366CA1553F21271A90D317861F145754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:25.667{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DB4FC5DC16E5681F7D4ADF43E132CC,SHA256=5A7FF64914FA678BCB870A4AEBE0311EBA82C880136FBE31ADE42BFAD87C3380,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:22.830{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:26.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6772065867A1EDDC87558088B512669,SHA256=1923D181E7EE21696C97612674BD15B47658A0AE2E8974E27F4D8CC359B38B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:26.682{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BD0E036308C626B574172E74C85B37,SHA256=7DF95A8A332A48384F4CFAA0B8F7577DE3B2A376C4E8AA4B2FE9567E4AB3019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:27.696{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A298CB7D5BE99EB862DEAE6270731616,SHA256=26DD7EA0FD0EF6FA9A43CF4462C17F8DD9BD9DDDB6DB378F31FD19AE80BAA541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:27.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0579D63030026BFBD31A8940F07D9140,SHA256=172AD5A1F17F79679ADE27D5394F9408EB34003BEC27ED661609ED59E9E2FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:28.933{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159C5A9344DBF9F56449E757F266A7C,SHA256=54AC374753049FB0FFF25AA6338722F374E37EE0E0D11057E9066D9CE048AAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:28.764{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6252EECE290DD5BAD183F244FC27B35A,SHA256=2DEAC9B7F96BEB3AC1139C9312FABB7E49E893970ABEB31F95DFA8AD9E6B47BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:29.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E734E338F1C0A23687344B5F99C06360,SHA256=3E5AC8A62AC6BF1E8C5611029FB51FF4FF836AF6ED81D31B3C5E70221F5ED6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:29.795{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC8C3D03B33D2D78FE1A89063F71B83,SHA256=7C1E1A34DFBF224D4D6F5D106F70E9F4BCCD9AA2FD480502982C21618B6F84B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:27.530{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64518-false10.0.1.12-8000- 23542300x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:30.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB84C905DEC1B5ACB9261F3C174461D,SHA256=2B350FFFA7F8B497B1CFAE1E046239E07CA3EB1FFAD3FBC4145F183AB0C8B94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:30.832{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBE80C781713470EB1C288A8428FBED,SHA256=DCE26A1AABC87614354CF2E86C78D4CE190633D716B195648F489734F02FC39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:28.001{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:30.695{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:31.863{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76A05174E332E7E14C2498CB79A28C6,SHA256=00C4B3EF78A37BF23ED96730E45A4B0F527E3C908A1B6387EEB212527F2AD9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:31.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3CE1EAE87A2F7E603C9108FA92EC9,SHA256=4751C4164F7F6EDBBB121697B55BAD544604AA5FD40D4C37B616CF5220AFC438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:32.878{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83308D70694676213F7DB2D5586CBA54,SHA256=12FEE5F0174D19423FCCB4F41542CC721695F966120832C4FE95A22A7AAA4DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:33.893{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D90F647F96173E4F29B377E2FB00BA,SHA256=3DFDC16D04C37308294EBDFCA7F4917CED855FED177AFC1C0F9CE62320AF9CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:33.746{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:31.465{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64519-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:31.465{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64519-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:33.093{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F1F3331974F873D407FF04A2648AD5,SHA256=8D96AF2BDB511C1A9FC50B3EE7F3B95815715E17F36EB187285A023364BA3AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:33.093{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2DF59FEF2330DC399DA381B39D5CECA,SHA256=4397B44D2D4EEC2770EA5B714D2DE5DFBB0ADC82A68AFE4703C64251E4E74D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:33.028{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DF720C063D798926FC371E81656D94,SHA256=E8631B1466B3445B2F45DBDCA83C9D82B4C0AD59A7DEBE0EC69645EE85769359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:34.910{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C29473FEF36B6AAAF9421EDBF109AF6,SHA256=A8F8D7F7E781427B676350C262EAD320C0277B88E79CADFD5A6CF3E77E30552A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:33.017{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:34.043{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B24B7A3702F0BA7A6DF62D3E6698B4,SHA256=5A4413EF85E828EEDB5ECFBECC4D3230BA255EAC3155A3B1ACA34BF3C5A011F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:32.665{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64520-false10.0.1.12-8000- 23542300x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:35.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22E5D32664012B85C248BCE6F379478,SHA256=5DE089D3F3D05FD58CFE98771BF4507C71E2405418D4F9FE78575B42C503DFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:35.106{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B1B856C73DFC2573E248A8A949FB28,SHA256=AC8C8B3E4C0EE65FA1D6950403491A5B635ABED478912B5F7FDC1B9DBB8F959F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:33.164{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64521-false10.0.1.12-8089- 23542300x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:36.943{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA4063BB6797FA77B7FE5E5D1B5CB3,SHA256=ED83CDAEC4A145171FE8414F01DF8664C3164240BDE2BD83C03DFE99200A6E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:36.106{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DF30EF3FE092572898EDF2AA6547A5,SHA256=ADFAD28433333D606CAA0C88B6EC36D6D2FFD454D813E9CFFDD3B076546521D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:37.958{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF050D5C22DFA7E54C23CFE5318A1B2,SHA256=AB67473115FFD08252D315E6357D78AC1E8BDD9409FFAA6823CB78672DB2D1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:37.137{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCD9F48B3544F4F19BC8CE36FD46A20,SHA256=47443627EFA3AFB7533C70B45B68AA0319DF6C3FF2A54BE8491FE7EF8997BB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:38.989{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08F8215707F65C2FC5ABC3FCCE32E9,SHA256=C7677BADFAD97AC0379A73AD77859850D88F490164DF0606DDAEB9F1A770ED7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:38.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65127D9E5B3E08EC8956B649E49A6A9D,SHA256=D89037ED1B9B115A861B1CF31E977BF83B2732EFC1039470525E17DCCA9E58D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:39.215{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D7F2D291EC2B73254C778F3FE365FD,SHA256=42A98FDECFB0EE06F9F7279619A1023C4D1A6E6F1293B5B97AD67C233293D189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:38.986{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:40.231{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E10F980CE8CCA276C13295B0F3788E,SHA256=6CB1D9FF476518F39DB86F38D8F1439DF3A6F9C329BC49A11F35AE8912745D25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:38.539{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64522-false10.0.1.12-8000- 23542300x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:40.008{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CFCE8B147A68A014B6BA313B98FEFE,SHA256=AF034C00404C688B595A1F8F5605138B7F129228CCC9DAF69BE71B354A86A558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:41.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADA62B671EA2E6EAAD1BEF563DFBC1D,SHA256=BF72FC45682BAEC85B83BC6C6A3358067012E036F1B59DE7BC579F5F9251DC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:41.026{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D1FBB5C58F2693248689223137CB16,SHA256=E20281AA862EB4664F7605A5AB451E3CC9C9567A3F085D4E2B426039A50BFA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:42.262{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0F90E41709E1B10CA4DD661ED87A2C,SHA256=13C016FEC45433258EFEE7DB7463FC543DD943A44DAC3203B9EDB5CD29B0A23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:42.041{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15C6AD5FE23C342110654A8C4D3C019,SHA256=9DF79502CD1BD63A175EE6A5D8D1A394D3BD2CBE56935545E869E03A583FE8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:43.278{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3873DA026FEABD3415FC9ADA10BEDB4,SHA256=FECEA300F9A39FF0A479A42C50C6363A7DB3FC4F79F701B32BF080A5D749ED73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:43.055{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224E2CF393DE18BAF1427868A6803283,SHA256=8AC1070D6D791B58B3DE6A4134BF80A3FAF9305BCA4713F1C1104C281E7218C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:44.293{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D634A3407F3C5566AD16CCF64F79C808,SHA256=68BBA7BF25D2DB9829C5BB46D0D2D94B0EAA25060D1A23B7CDD30226E3B200B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:44.057{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288847D7C4856561E6FBAD6B4A18EAE7,SHA256=99044FEBB63B883AD6917443CB93D21BE42415B3B1A7E90B0D591E454F0F9915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:45.340{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB26CDF1C13336EAC58912CA8D14F438,SHA256=D970ACE2AC82E45C40087D7EADB3DED9B7251395AD5835A1F07AF19EFDBB84CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:43.659{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64523-false10.0.1.12-8000- 23542300x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:45.072{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E64D01EAF92BCB3980E59E2DC0812CD,SHA256=DA26A9C0C380465E9220A6F48EE7ACC10C73AFAC197AB233B1518B42D2075B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:45.017{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:46.356{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237A295C42DE82B7E5C45A6D53943DA6,SHA256=17817E948CD4BF750114F3FCB46C42D612AC6A94508DC3265198BDA557C71219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:46.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290BA7B25BF452B301778117FE8C3786,SHA256=F2169A1263057485995038EC993582129C8E75C6281DAEE5C0A87CC929ACA1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:47.356{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403AEA322C684CAF5C644AD5DB915DEE,SHA256=610922008C2DFF144787A5DA82B98BBAF8B726F724450FB5D6A59C6D6C77E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:47.103{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD0833D8786B299EED4300FEDA15345,SHA256=C9DD3812E7F659ABB8526458CD2B4041F9CE998936DF0CA35216AFECE57C7C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:48.371{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39822473424303D7ECD059A05C7EDE5D,SHA256=C8C696EC265AD9E7644A295D73C65A4483969F7387601B18EEEAA3AD4EFD2C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:48.107{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D957C4EEC6FC8E15D7C7BE8EB3F08AC,SHA256=E923FFD020B18E4D44A579E09B5304A9366FA2E15E4136D4529625E61A684E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:49.433{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B279B444FFB27ED87A9CF2671B9FDF,SHA256=0410A50BD08F0542F00012382F683858ECFDCED430905840872CC2AE1340A8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:49.122{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF804FC9A115EF3513E8EBF9A084AD8,SHA256=09F703904C2A8C5341AE37E32FF1A96ADDCA6920BE07A20EA80608A3F5BAA8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:50.464{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43738A99E272AB9CDCDAF55AB7F4AF65,SHA256=4F772A652803CAD63C0A98249362A1F5D9CAF37AEEE3FFDBA1527E76746D8D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:50.137{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB42D224B6427EDB5B3EB64BF8F9AFB,SHA256=450148EA8F69842229C2EEF0345BE9C8CB972D2D6CC21FB981FDF239BEB37E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:51.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398E5CFFD37A0191A7A5979DBDEEE245,SHA256=52761FEDAC5D358440837C4A04CE072A87780CC4AA174485EB04BE153FFA2267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:51.152{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A252B110C5F5374839AEFA79DA48681,SHA256=0CCDE02F088DA99062790BD4200FB09C1FC434A6CAA0DA01654809718BD7DE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:52.589{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F027E7679D545193CD6F245889C05C,SHA256=B84822569C7381DED233B201E906799DD4CF595EC5249B352B3FAF54EE0A842D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:52.167{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD36B218BB5C8B3EB2CBE060CA980716,SHA256=073631741FE4DC6DF94549B54A1123A6F5A92627259DF1D7CBDC5C7D9D7CDA79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:49.618{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64524-false10.0.1.12-8000- 23542300x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:53.591{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C9B221FE85E509731EF7835419618F,SHA256=3F18E0B1E788E74CE1C1EE9F7853BDDC342F43FDACBB7255D3DB3B6DB1114C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:53.719{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:53.719{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:53.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA25BCB0C2C192ED284CB6A84020A9,SHA256=FD56F3D3E3D0C85040B33744AED7EA63E3632FCD98AFBE0C7189F44D56CF32EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:50.784{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:54.619{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EC2A972CC0D52D4180D688B3FB5C57,SHA256=278ECC68120C8017E521366DC19ED4409300315975E91C883ACF757994CC05BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:54.199{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2181C5B1E4F2A971BA60EF1116E923,SHA256=1DAF5E811AD7A704728CB74D9FED2BE9EACF83B7B49C9F88F5E9D778A97B2374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:55.637{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5E55124D94833B45085611CA791CE1,SHA256=8915AED5DC5518B51055689C205CAA3CAC7F19852FCD13158EAD36A3B631DB77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB3-6112-7008-00000000E501}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BB3-6112-7008-00000000E501}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.980{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB3-6112-7008-00000000E501}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.981{82A15F94-5BB3-6112-7008-00000000E501}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.301{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB3-6112-6F08-00000000E501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.299{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.299{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.298{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.298{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.298{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5BB3-6112-6F08-00000000E501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.297{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB3-6112-6F08-00000000E501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.296{82A15F94-5BB3-6112-6F08-00000000E501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89023ED7D29D8C391AB4BD9DBFD26287,SHA256=50B2AD1AE8DFA00531C47AA9D2169FAFA45AFD709DD7E8AA9FE7F78DDEC71077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:56.653{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E43C4B194202E6F0AE436A15A81C491,SHA256=82FFD1B151F28E82380C19E70AE972A8C18F9442DE172A40B1A5D299001836D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB4-6112-7108-00000000E501}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5BB4-6112-7108-00000000E501}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.479{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB4-6112-7108-00000000E501}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.481{82A15F94-5BB4-6112-7108-00000000E501}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C185B60A27D350E5D8DA79DC2007179,SHA256=0249F7FC716A8949B69125F2801DF994EEC89480A214F8B7F16FF68A031A8A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F1F3331974F873D407FF04A2648AD5,SHA256=8D96AF2BDB511C1A9FC50B3EE7F3B95815715E17F36EB187285A023364BA3AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.248{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA1366DEF527BB9ED0E4A7CA3E20261,SHA256=347736BB62CAD687E1053921DBC4425549128E3936DABB87369D474AD7B5D926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:56.164{82A15F94-5BB3-6112-7008-00000000E501}10801328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:57.684{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC84B63503D5F43CD1462D4FF5EF5FA8,SHA256=C98758B516E126096B42F221E5A7557149D84405147E7F4EB11A3AAE3A834B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.532{82A15F94-5BB5-6112-7208-00000000E501}16966784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.499{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C185B60A27D350E5D8DA79DC2007179,SHA256=0249F7FC716A8949B69125F2801DF994EEC89480A214F8B7F16FF68A031A8A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB5-6112-7208-00000000E501}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BB5-6112-7208-00000000E501}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.379{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB5-6112-7208-00000000E501}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.380{82A15F94-5BB5-6112-7208-00000000E501}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.279{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C5D693AAD1A672C01B275B7A4DCB6A,SHA256=80128FEE4E2FCF8A23A1BABC9ACE6C693E9BE12400F2048FF5E44235EF3A7A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:58.700{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72068648A4CEA2A49107CFD0A14AE110,SHA256=94B80DDDE1A5F7BE7DD7DF9C26D5DDE4AC61111D57702DED2C159A2A47E9B42D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.832{82A15F94-5BB6-6112-7408-00000000E501}15483436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB6-6112-7408-00000000E501}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BB6-6112-7408-00000000E501}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.678{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB6-6112-7408-00000000E501}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.679{82A15F94-5BB6-6112-7408-00000000E501}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.300{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE3366A3FDAC80492C00A4840620CAC,SHA256=A10B3EA6F48F51381D93F3820CE1CE228986D79EBA5785D70DC382FB48EE8B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:55.955{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.162{82A15F94-5BB5-6112-7308-00000000E501}67564116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:55.483{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64525-false10.0.1.12-8000- 10341000x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.000{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB5-6112-7308-00000000E501}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.000{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.000{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:58.000{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.999{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.999{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5BB5-6112-7308-00000000E501}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.999{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB5-6112-7308-00000000E501}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:57.998{82A15F94-5BB5-6112-7308-00000000E501}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:57:59.731{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9178BCD8CB7BD6514F308193915A4B34,SHA256=7DE8AD621A634369B21E6A73B70AE26AC44BED0C39E6C879062A18F938CC8770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BB7-6112-7508-00000000E501}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BB7-6112-7508-00000000E501}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.332{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BB7-6112-7508-00000000E501}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.333{82A15F94-5BB7-6112-7508-00000000E501}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.316{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE5D302FDF5A6A41C6B6AFBEAA14FE7,SHA256=C74FA189F2B014846EBEB88DDE0C279174CB7B7DD2225CD1D74CF1533E9D2A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:57:59.016{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1579D419EE95B32CDA8D65D10DE0CA3E,SHA256=0F74FBFAC8A323D60DB055A67D80BCA2070A8EFEAD0850399F18BD02AF525D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:00.747{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC8326FCD610AF90D0AA667619034F8,SHA256=FAC63DE5B40B80FFE2937950442F7C2FE9404ECAB8942AB687CA7A02F2CBAE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:00.340{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0D46F82C603DC5622C3D826A24F0E93,SHA256=1306C2122AD146AFD06CFE8AD43B0053132FFF4BC0A7BBE2EA5D6D08B8F885BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:00.324{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602E42CE06AD3B076B1C2FD9D5E61E4E,SHA256=C7FDBEC522EDE474CCD7DDB700D04D7D5466ABAB792F692826671E2F613FA064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:01.794{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D0D6EBCAECBD7B215D3C6477AF714,SHA256=FF58C3E1580991490AC402203C35F13A81372140D08C41CB1C5BAEB9A699DCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:01.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4F0DF326E5305B6FE713097BE13F07,SHA256=011784EFD57F118D1A658EF116ADC2AF33654FC2BDD8BACFAB011D674D2079F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:02.840{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326BE83ED251B7128A6F9238E04DAA59,SHA256=56EA744A0C5511D0B301B43AA7AFC48566327CBC85E378D4DBAFD9A4F13A2679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:02.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91D51DD420E063AC9CA7928E0209F75,SHA256=951E0B936329C422B9DB3C17463FA649D3310717C0811231364BC66DEB3C8462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:02.170{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0E11FB44944C78D0938AC20E67523B46,SHA256=784C1D4CD22B5692221B644E52AF92482FF0171113652F3A7AB6D852EFD4C5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:03.856{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A5AC672B9359CC4DE1642BD6EECC3B,SHA256=2FE39A5200930AC3BF4A03E06A4A862CC8F657571434C103059BE3DF4B168F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:03.370{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B66D67BC7AA984122AAA7FCBF2859C,SHA256=1506311721B8B29AD283486519A016EE4A2010C5B76BE2C853BBF712F0EF4ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:01.939{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:00.573{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64526-false10.0.1.12-8000- 23542300x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:04.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A6AFB49344A6891548CD30DFF9FFD1,SHA256=DB1E26682E240892217B0107F5234419634F5E627A5F2F7DD978A23131F89CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:04.385{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24C8741F43AA3A7EC32F2D06AC7A150,SHA256=495D364996EF63CCACEB6933C7DF1277464A7F19CFC16AC56B0C7C7E8A0102E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:04.090{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:05.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F556FA25748E36CD570DFB002241A5BC,SHA256=1093668BAF92829AB22D5D8C81D084E3B3C34BB575E4CFD0B00395D050ED6C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:05.400{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7953C827FE74B6AA90DE50DC862764D,SHA256=4361B4286BCFDC4C2D50375D330E46988DA6C1963BE828174CB4E79077D48D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:03.846{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:06.919{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCA071F75B2F1C29009C6426C853092,SHA256=B38CB102932311B3F3BF1423A725ACF35B5F5BF4B4208CDC61ACEE109C7B7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:06.418{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6DB155B5E18BE9EFDF8927DB65D485,SHA256=B2AAA2E47C6005C338A523F7E145018D9E70CA58ED7A988C72BF7CF8FF7D9138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:07.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E256E0143472DF201B63FBDC0C9F38,SHA256=A658C77B77105FB5B8F8EF894EED4F563739D5BA31CD67B26D40E534015D26F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:07.452{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68579175F8C1EFF8B5F145DCEFDB8AB3,SHA256=983F4666FB7322D27073C4280DC069DE1B02C47E1FAADB5F08BC38B4171FA84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:08.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F509A82107B23E14F46796EF02BF26E,SHA256=48356C34F7E5074B2A78FE50C12FD960D126D829CCC5EF0BBB628E43B9915BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:08.482{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DF1B6D98D4FF9CE7562A487F52B310,SHA256=F4B562A123962A2B2A6CE7EE4857729719BF7687D4EF6205207939CC6C155A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:06.486{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64527-false10.0.1.12-8000- 23542300x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:09.953{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8405DAC9D7C69EC620A020D9B45BC2D5,SHA256=10E8A484BD5CDE9D925AA73371CC5AFC58A4CF69D541C17196F0C5E908AF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:58:09.935{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd6-0x9b56376d) 23542300x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:09.497{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99F49FAE5F165C1F08CBA545BDB7900,SHA256=D64DD471CF38FAEC1F8B6C0E28410E2E75FD5C2C891BA7CD87B284491A3F7157,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:07.924{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:10.497{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B72C1020D901609FDE1A3F2140FCC9,SHA256=494887C207CE59593FF50474BAB68B404EAB971723651DC3A6A92FC879F2B1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:11.515{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6F79F9F77B08B42C1624731895A468,SHA256=9EDB2ECD409BE95DBABBD5866C75CE7C5B9DAC5E7E685A4DD83FFFB29A6EF045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:11.000{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2918ADB2A2CD7531AC10DBBF1F1412EB,SHA256=EF0E7E20048C415EC258C49EE5D15456609F24E31BD3890F515F3E64CED48168,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:09.347{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:12.533{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C123E55D4D268797FAFDF79CC5EEA9F,SHA256=2781E822D3BDB1048B2A56CD6C5E14CD786E78D8F097037DEED42ACEA110FDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:12.062{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F75042B54210539EA18B4336056375,SHA256=8829046A047485203F4F16291FC019D8316EF0B902FBA58CD9146EAB68C428B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.713{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.712{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.711{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.711{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:13.549{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56794FD1C41B0FF1DCC2EB583F8ECC89,SHA256=EFFA4D21E576B627816D6FFB11B087026AD1FCF2F21A5DC9DC102ACD62EAD99C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC5-6112-E206-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5BC5-6112-E206-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.687{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC5-6112-E206-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.688{82855F7C-5BC5-6112-E206-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.093{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5645E34FFCBF25E793BEDC1B65F9FFF4,SHA256=2FC84888ABC7C4183B8D7AD31399C28C31FC1B625D91A64F7E8638D646E01C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:14.613{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DABB68007356C6A1CFE8EEEC4CDDB33,SHA256=1570CBEA38B70447A515FB2799DB3236D8447C9867E3B73D98B087CC62CB7C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.875{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5DAC8DD9D44736C8B3C86C2A459F9D7A,SHA256=616928993FA1AE75DF6D3F8561BFB1262FE0C7DFAD060239037DC7F0986ABDCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:13.020{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51637-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC6-6112-E406-00000000E601}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5BC6-6112-E406-00000000E601}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC6-6112-E406-00000000E601}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.750{82855F7C-5BC6-6112-E406-00000000E601}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.703{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3409961ACEF601381FEB85D6FD9D30,SHA256=6BAF0AC0A3E7D282E3610B0F64F2578B63F07FCF69CF1E58C9821B2D006DAA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.703{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A38519A84FE94FD0702CAE3E9E59635,SHA256=5B5F2E30A679E055E3D97351CEA3429D720583DF6F92ACB81E304B19960DD453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.359{82855F7C-5BC6-6112-E306-00000000E601}30923044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC6-6112-E306-00000000E601}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5BC6-6112-E306-00000000E601}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.187{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC6-6112-E306-00000000E601}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.188{82855F7C-5BC6-6112-E306-00000000E601}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:14.109{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C406E5B8139657F6459A5BD84B13F,SHA256=631479BE607B7C3DC08DDCFD9189BE4D4935A6567265BB1BB2131EB19A9D1018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:11.567{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64528-false10.0.1.12-8000- 23542300x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:15.647{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8CDEB643B52439A665BB0F7BE483BB,SHA256=C12717F07222D053DB2AD946CF5BC6D83916D754889ECB1EBD882393E1A60128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC7-6112-E506-00000000E601}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5BC7-6112-E506-00000000E601}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.906{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC7-6112-E506-00000000E601}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.907{82855F7C-5BC7-6112-E506-00000000E601}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.796{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3409961ACEF601381FEB85D6FD9D30,SHA256=6BAF0AC0A3E7D282E3610B0F64F2578B63F07FCF69CF1E58C9821B2D006DAA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:15.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F943B02D708D778AAEC092A7EA842EA,SHA256=60563515BBCADD2581F2E9CFC52F5D56001EC277E44DBB7C9E9D521314AAE53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:16.663{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748EF97F54561B34BA2630C83AD41349,SHA256=110E8FF2E9A6258F526D36B85ADB4553BDDEC82390EF6FC055939A8A4B8868DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.921{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31AEB913C1B490F1B0A8AFDBABE3D8C1,SHA256=F9647C3426811C86715DF591C05EDEBA562511289F2E4D56F5C54508B090DF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.718{82855F7C-5BC8-6112-E606-00000000E601}26242528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC8-6112-E606-00000000E601}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5BC8-6112-E606-00000000E601}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC8-6112-E606-00000000E601}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.578{82855F7C-5BC8-6112-E606-00000000E601}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DD8049A1118A7BD3D89A8B1875A78B,SHA256=D9CFD80C8DE50C7EFA9946410EC6751186396DB04EF4DC788864C63D24C04EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:16.046{82855F7C-5BC7-6112-E506-00000000E601}26481036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:17.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E7D7D3358BCCC8F0B65810297F7311,SHA256=F00B52A8047128C9106A293CC2FCF7CBB6A1F0291C3DC4A84C7E38A0228B71A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC9-6112-E806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5BC9-6112-E806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.921{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC9-6112-E806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.922{82855F7C-5BC9-6112-E806-00000000E601}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.609{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399161A564C51F96BC4DFA84CE89D472,SHA256=683E19BB98F63B36CA63B1FC145929B7F0623F5AEEB7BCDB84C342F41EFCE774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.437{82855F7C-5BC9-6112-E706-00000000E601}21963800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5BC9-6112-E706-00000000E601}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3681-6112-0C00-00000000E601}7124028C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5BC9-6112-E706-00000000E601}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5BC9-6112-E706-00000000E601}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:17.250{82855F7C-5BC9-6112-E706-00000000E601}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:18.468{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556EC12E3765D2CFBDB143AF545CC4FC,SHA256=8AA2295DA70F55E69CBA02C88049C2A04A125DD0E2AA6CD3B7319CBE68F634FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:18.692{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2777D68C12E7702633E6005F9E9014,SHA256=9144B080EABEB318A8366D3EB944324EE8F087DD423DA0E2842B81518A094B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:18.645{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:18.609{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:18.592{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:58:18.592{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.65.208591191C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:58:18.592{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.65.208591191C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:18.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25E3CEA59D3410588EC06CB755DCCDF4,SHA256=9D198A94F789AF5BD24AC06B124FDD35C713E32054C1702E6298BCE3C1EE5A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:19.515{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0398E033A22867965C6E02DA5941911B,SHA256=F2FB95EB411CBCC2CCBC1A9855D9F90F9E3F72BC4E8C74645DC42A2D5575EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:19.696{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABDD76D12340FB339D813DFD9BA2B4E,SHA256=5CCFF2684C15E1E3324DF4A51C9501A8CA7527D60A59DFF3ABD4A4B10DC27FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:20.714{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D167CEBB1748FFEB3A1944B7CEEA0E7D,SHA256=A681F02D352CC2BBCDFB80ACC6FF39BBA7B10C1731597FE0D381A876CCF3F371,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:18.911{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:20.531{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E0E2EB34D6F3DA8DC88E5352E075F5,SHA256=244B5BBC5A57EE847B4315B96BC9359A84D5C84BA459A4D563BF75FCAA3AF6E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:17.495{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64529-false10.0.1.12-8000- 23542300x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:21.732{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3289DFC52D204F3524CF6E59528BB309,SHA256=1705AFFFF094150064DCB97CDF776EBB68FB31DBC962BC668E4FB6058AA75297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:21.578{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB23B63D10EB8AE2255C815E90900B,SHA256=FFA814AEAF99D5D14B54312BD28794108A24B29BD0F469D491D82D2CEE82A4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:22.794{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE16BD39D5A9A6BEC61AFA7CA6F10DDF,SHA256=F913F826B1EF1AF697541A04EF430DB26A251CC3D656A502C20EAB00C507FE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:22.609{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F069072F1EDCB57E1BDD210847DAC0,SHA256=F4E21DD0E74226B6320BBD957D6823848C29382A4AB9DD1AA49DB6DF7F439BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:23.796{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A86D6CE3D6A0CF3EB4CBE19066542A,SHA256=D8228D6A97A3EA0F5A7BF5685192E4E891745E5F05F7D6E26265154B4D52729A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:23.640{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBCC4F572B475BDD51A7BAE15B0B887,SHA256=B166DE6B515DF58368AD3AC29ED237B79FDBDF8FFCCC74D0D2FDC05BC7E4FD5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:23.496{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:24.865{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2982D17EA76D1CD3F2718DBAB6FB012D,SHA256=19423244455F5B990CB75269AE42E6EA7F4E35049B14AFE2F4A4670C43C7DC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:24.656{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DB1EB7DEA89E78FC948C9B672DD624,SHA256=BBFEAE66FE90406F6604937A5F16EDA7279F5CD7A50ED46C80C9728C1A299B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:22.528{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64530-false10.0.1.12-8000- 23542300x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:25.880{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB53425465BB4973DA32447BD28B0C8F,SHA256=1CD719D97E949D4C74728648D291B136CD061C72E8D45C8D78925C46D68D53F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:25.703{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE5D9C62B46D09C67F4B64497826FA7,SHA256=D17373F38824BCC55270A769C0CBD9164E6647B0CC27FC7DD217C4ED8696C159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:25.580{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:25.580{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:26.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A3F7F368DF90FED0CE5CF785346D1D,SHA256=C280A05495674F8D4DA00552C362C6617C01C8FEB49329A9BE78D82F5D20FB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:26.718{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB125E537EE48C8F4BF30E2E752DB64,SHA256=275A8173FA5C0BF4E18BAD7BFED2DE0C4930CDC5F7D9B11E6C3A3A57192B5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:27.979{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4281DE2DF6C8816789D9755CDF00DEBF,SHA256=A7D52D3ABA21A427D5C4489DC2E6E3765781C198FB900C9EC9B6C27DD8F6C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:27.750{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F4CF7B89D6A964849B0EFC4CB6D79,SHA256=A9C4AB15992B0F504C1071EE78CB0FDFA89371014E81A3D7F05730012738D1B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:24.848{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:28.994{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E09E935874DE26CC27E01F883AF8E0,SHA256=6791656603F993B11C3136BDF72D79A049A9B9640F15935ADD9BB7F4B8FB5BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:28.765{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89428BB20E562590BA7FBDEC864A41,SHA256=C3B720CB32C9FB2AF9B076D9C551678A888B58889CD9D4D24EA9C7A295DAE9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:29.770{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A3CD13273FF605AA768877A01A214,SHA256=7E649EEA57C2E97CF7E15BC63AB6B0564165F969BF2FD188237C6BE8A01E5236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:30.786{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D717978C237897C1A5EB3C5FC7766B7F,SHA256=735707AAB2067A1099D0A3A36C42F030D1D4A0893D12C47C9F956200CAE92B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:30.677{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:27.628{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64531-false10.0.1.12-8000- 23542300x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:30.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309AAC27AA5BE686513DB9544AFFAD4E,SHA256=928D6DEF4DE16EEDC7E49B7BD7ACA88E94485E82C9C5275DEF038C465D91A340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:31.848{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A874299C63250A9C1EF2A1BF8073C0,SHA256=01484867B1711F839F9589303E3BA3026B8D94C291EAA1A0B32A30CA60BE765E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:31.062{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8CFE3EACA69DD6C3315BD5832C6B25,SHA256=3D5FD7E8C5BAD67111C1DB654EB0F68BCD4D3723322BAA15AF236A0EADD03288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:32.895{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01850BB0D8515EFB03DB23892AE25E57,SHA256=7721393B3F9F02134C0A89C9E552B7E8B517FC991CCA3AFB7E08A2B6318D3F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:32.076{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7237A7796431F28962EBBBD2ABE6F928,SHA256=358AE8400B16B16A7F29B128BAC400AB9FF74D2A4BB9562D0955055454A38A61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:29.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:33.942{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA94F80A8CF55F76F6E71407C4AC6B6,SHA256=B7699571EB341B7C4C6247624F871F5E70E3FB46127FE7638733B9E950E4E661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.775{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:31.479{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64532-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:31.479{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64532-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.091{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1147D4B6E496D145540835F81FC46EB2,SHA256=95626964B9832E93ED63DA24AE6844E8DF4BBA5B04569BDD22DC1C90A7F3BB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.060{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E9B7D949B962A3DCA36C9C5D087ED80,SHA256=729680BD83157E0A4C1FEF0BF597B2D5EE3F9D33AF67269BE0B4C45D3CCA01D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.060{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D675B75D541D865628C341884C18718,SHA256=E8A606E7D8436F8271E4DB2E0D600C696C25B6AB5AFA2F4741ED79D4CFB3F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:34.989{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E37D25931DB361173AA50E7007EAEA,SHA256=996001FDF47425E9D249947FC07C023F10D2B88291A1C6900FB1435060F270F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:34.109{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A54DCFEBB2A0E9BD8C300EA868670D,SHA256=06ED8E145661411F5B60EBB8DB97019864194B176D981F59A285371587BEF33A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.525{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64534-false10.0.1.12-8000- 354300x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.194{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64533-false10.0.1.12-8089- 354300x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:33.034{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse185.173.35.49185.173.35.49.netsystemsresearch.com55507-false10.0.1.14win-dc-15.attackrange.local5985- 23542300x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:35.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A96A9A19C19E8B4F130898700388D0D,SHA256=6C58CD21D32717E4AB53C79DFA661C205ED19B86366DC4BF4173B638213496CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:36.159{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E523DF066968D5C4EEE19439F53B18,SHA256=F8B9BBFD6402A06C2758372A33E62E5B02775894E41F68647FFBE9EB164D5E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:36.004{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F179C04E169E4366CAA4E7FE493DF555,SHA256=BB7B2DACCB6BD629B7C757A716D3A53F2728284F92B6C1914269965869BEA959,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:35.822{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:37.020{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936A310A94EA98C27D97E623346A44A5,SHA256=963A905D461EB7E4161D77740849E0BE939B89F854766426844B096FCEDF2FA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:34.977{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local50600-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domain 23542300x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:37.174{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E798AE841A556311EBA59E8E5966065,SHA256=4A5B71AB977C80C29E6512D6D83AD5D8A4FD318EC7EB17BFB32627B9E907632D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:38.129{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F1A226D4E094A573DBB6415B5C8694,SHA256=8C8AF6D20304E4B469E57DAD4C9332E5E3EFD1EAEC1E1E4DEBA60EB4D1A675F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:38.188{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E96CEDBB7C5F1B90885C5BC6B7DDD96,SHA256=14CDA3245F7680B6CC7F4D4B6C2B777E88F60AB0504660DD63CF926C0660AE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:39.161{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C417CAC5BFB7897DCBE780A13A81FE,SHA256=6E76958B77A3FF92DCDD31F8530E585FF0A500EF6687CC85DAF55D79631543C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:39.206{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8C105CFA95B88B90C51D18D3C400ED,SHA256=111629270346EA0D1F489316EB1CF8EE779BAC975DD41F305C195549F85DDCA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:40.226{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BBBED75CDD6DCB935B061171A9A868,SHA256=133014ABF0B7C342EBC398FF1D3CD8D41BB46448ED033D2DA16C07DCD6578D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:40.192{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F10D33DB8E144D4620A46619F11659,SHA256=0064AF93F302E8A01322C07618175FFEFB31112AD96E46213F7F9BA3669A0A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:41.223{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDD0C3B63540E7EACABA488DD5C2B96,SHA256=0065B98FE565FA2EEA5A4512DA2BD03973659C567E3334B5439DBDB6A075681F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:39.490{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64535-false10.0.1.12-8000- 23542300x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:41.241{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0897AA2E4F7504B0CE6F0C47E0A75A3F,SHA256=056372132C4660978C4B53D25ADE3677EC6114CF9BE8E888C0F42E4204421311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:42.224{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E007B8AB764D8110D6BC35DF2688606,SHA256=E5E9FC2B1546DF63ED68A9E9E969E76DF3FC8C44E0CDF56F650E1E30A9F42E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:42.241{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D051B37373EA6F3B42418191EA558924,SHA256=36536D0672D30D743B50108A823D7BA8EB2E8D0311CA9F796641450AD1DA9BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:41.790{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:43.254{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA4AD96FDCA8548F5A3B490E72B23D2,SHA256=9CCAE16E892D7774FEAE3D0192E49F9AC148ADD0EED71B3980A6F68113DC35E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:43.241{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC12E9734B478403C4FD0B17C77C4C48,SHA256=9294FB3E0A5DCED723D0DBD42263F91DE2C6103E318D98C57E1F11BB7B74B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:44.317{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4782544570FE3DAD83AEF567350D66BC,SHA256=B1FF78F7086A37712EFBD4E02092A79403BC9317068AEB0BBF64E3A71543E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:44.256{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CBB819C5D8547D29BC06949D538918,SHA256=227C3864AA7051851B2D819CD7F6610E8CBF0A01247E36E701774F5D71CA51C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:45.287{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC7B7DC50D3B3959946723A24470D01,SHA256=882B35EE3411EF5DF9D069890FF7E7EAC1BF8501E46E7F42A9D17AF73A8FE01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:45.348{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB20265C4AAD39CBB3ABB7FACDF5AB98,SHA256=12D60F83CC1FB2344755ADA8C7C04CAB29D4911B3152577B34F6635A9DDDED3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:46.395{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EF6AE09F719FF7B760650A6E7D28A9,SHA256=9B4D2F3CA806615BEAA439EB512DB267D70C0E5668F2D790BF4E5B6E24759A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:46.305{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91916C1BD39C0D4D0773088D626C442,SHA256=9F9B2054FED4990483BD9B9FFB4C1BF1C1C8C843875B82B7AC31CDD3E84C0E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:47.426{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573FAFE68E3B34D9BC9985304145ED7A,SHA256=1D53EF9CF03CFCE4AC27F7A9963888273C41E975F3512C62949374357FF93855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:45.489{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64536-false10.0.1.12-8000- 23542300x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:47.323{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9032EFC8FEFB3431B4FFD9A5C5139E2B,SHA256=1FC917BAF64A689D75F8F26B827E4008A5F076C30327E89E27334E99C070B0F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:46.978{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51643-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:48.458{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0E836ADF730469601FD1166714A25E,SHA256=469D725DD1F76475D47E622BBE4F2617771F40221C7219D83059252173EFAF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:48.338{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084141C69E134095EC6E05AD86B10E17,SHA256=5AC8515194F8F7871EDB108DD9293D5F2E19AE36D342C9E8F61F60AEA8B63B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:49.490{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B6F44D1B1850FE30511F7E73BFF43,SHA256=A965F94884E8316771BFB0560361A9D5E45D73273B47282293B462C459B4B55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:49.369{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903E557CCC8F32CE99EF307960314EBF,SHA256=1389DFF49398F5BFAEBD54AED4B09F146846C4B161C1F6F899A3A15A01717DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:50.384{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C494182EF3634B7CFAAFDC1AE077C4,SHA256=BD15A7697F1B401D5EFE363A10E7EF5FBADCBBA85A4152E5C1CBB552753813B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:50.506{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166856FEA60EF828D7DE1CE8849EA26E,SHA256=B56279B1C8833E1271593C41B9DD437E02070E9BA557E0D79D3FDE79FF8D93C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:50.237{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF99c0e6.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:51.521{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3B155AB8A781869D4C645AC8D2B320,SHA256=69495CA70C0890CBED37CA5754536A7DBC3994672A81CA3B8DC98E46A4B5E0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:51.401{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64A1F77F2988F05BE715BD0960A67B1,SHA256=49647901C68034C630245384E3AE1A2D40D6C5809BBF5CA057E491245D3C00DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:52.553{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7D66A6A3198812C0D4C445C57F16CA,SHA256=18B66D29A4CB5496B755B4896440975F74C41910E9308EF51FA13F68C1053B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:52.421{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F83BE9058E6417533B1F46F9EA6300D,SHA256=57B04A3A4CA2236DE07C3509BFCFDD8094B2F3CCFB19E056C99A831798CCCEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:53.568{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E386C5DC5782B7A9BA8708A62B7AB9,SHA256=7B527600E561623B4269456A6903DDCD5AA91784D19ECDEF3D0CBE10F8FA5C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:53.436{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA6CF9C4C7882F3EA1A64187CB09E83,SHA256=BC76407367880B7ED4FCF69F41EE157AEC1C5DBA39E946193402E1B49AB2694C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:50.685{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64537-false10.0.1.12-8000- 354300x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:52.932{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:54.632{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA3F1D74BA06315963926161B5C4167,SHA256=5AE019880E8CBF500A2D25DD871771213C3527A1B14881C36410233C5BC1653C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:54.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DD70F4CE40FE0F7BD6A29250609783,SHA256=27DBF241D159B6715CC79F34A9B8F896FD81D2DD3F5ADB595FC290F8F76590FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:55.644{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333CE80F04A6945E84FE1216652985DD,SHA256=74E25666145A779668561B57404C31C73A6987A7EE1B20C18E57A9B9AF5FD74A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BEF-6112-7708-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BEF-6112-7708-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.819{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BEF-6112-7708-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.821{82A15F94-5BEF-6112-7708-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.466{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD88E9A4E2BA68DCBA42592C7AC9B06,SHA256=8E0DD9B9164745C702FD166369AE02403F7F5B5240BBCB7E68DD50928C6A2A26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.450{82A15F94-5BEF-6112-7608-00000000E501}11444592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.303{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BEF-6112-7608-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.301{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.301{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.300{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.300{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.300{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BEF-6112-7608-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.300{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BEF-6112-7608-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:55.298{82A15F94-5BEF-6112-7608-00000000E501}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:56.646{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71C0419E8163D06EC745AA621D9769A,SHA256=810E102A5E5C1E390BB44688EE769B37BF154B99567C3A1FF77D61107CCE0543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601555ABD168C68182BAA3B006E35060,SHA256=33C48FB291766A6A807BDBE72DD4425BAE7B470ECB0C57938535621CE906A3D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BF0-6112-7808-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5BF0-6112-7808-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.419{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BF0-6112-7808-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.420{82A15F94-5BF0-6112-7808-00000000E501}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.319{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259B407C2DB6E35624E2B36A6FC2F2C6,SHA256=47B2B59A376190AAFBADCE3A0CAA3D0E9832EC3FC8D9355E37878D42627F3DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.319{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E9B7D949B962A3DCA36C9C5D087ED80,SHA256=729680BD83157E0A4C1FEF0BF597B2D5EE3F9D33AF67269BE0B4C45D3CCA01D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:57.662{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D595223897800A8E6DF72DF8F8A319C4,SHA256=F7B8DC30A0CB232D1128C6560B8F050AAACB9178111757D4D332A080561C59D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.565{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE5DCC3E588892F6ADD1A29636BABBC,SHA256=914D5B978275FEE8A5A2032395377D4A9C6355C4021C75E37A8B07F7F2F914B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.534{82A15F94-5BF1-6112-7908-00000000E501}63047012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.434{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259B407C2DB6E35624E2B36A6FC2F2C6,SHA256=47B2B59A376190AAFBADCE3A0CAA3D0E9832EC3FC8D9355E37878D42627F3DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BF1-6112-7908-00000000E501}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BF1-6112-7908-00000000E501}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.381{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BF1-6112-7908-00000000E501}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:57.382{82A15F94-5BF1-6112-7908-00000000E501}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:58.678{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1ACB12EDC4EB6DD9A67DFAAD62D23A,SHA256=8420152C70A5E5BC0A5512611BF47764B0C9F4813B2E68BFCFBFE8E5F63F2B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.848{82A15F94-5BF2-6112-7B08-00000000E501}67043252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.700{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BF2-6112-7B08-00000000E501}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.698{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.698{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.698{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.697{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.697{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5BF2-6112-7B08-00000000E501}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.697{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BF2-6112-7B08-00000000E501}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.696{82A15F94-5BF2-6112-7B08-00000000E501}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.600{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520DF5DAAE00AEA9FF9EAF710E31C5BE,SHA256=B2216109F43D6144794AF44A7739EB67F0CFA0B4A77DBAA23E5641D1B2DDF991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.164{82A15F94-5BF2-6112-7A08-00000000E501}14085772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BF2-6112-7A08-00000000E501}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5BF2-6112-7A08-00000000E501}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.017{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BF2-6112-7A08-00000000E501}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:58.018{82A15F94-5BF2-6112-7A08-00000000E501}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.617{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18323B42737679E852F13106436081E,SHA256=BEC71138356524A135F95EF0BCAB384079698DE5CD40F3A3D9BD92DB84DE43F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:59.693{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA8AC19DFF16AAB012BE441213563A9,SHA256=59B6BD809A15D932F2BE46166DBF9A01E462705E100A323523A853B852561E7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5BF3-6112-7C08-00000000E501}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5BF3-6112-7C08-00000000E501}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.380{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5BF3-6112-7C08-00000000E501}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.381{82A15F94-5BF3-6112-7C08-00000000E501}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:56.615{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64538-false10.0.1.12-8000- 23542300x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:58:59.018{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B5D8FC883B2D11BA5078EF708A03E43,SHA256=35CACEA12DCFB4FED26FB412673FCA18FBD9AA84AF9A99B982D95DDCA8094473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:00.648{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46706CDCAE929B6C3A33AD384A806FBA,SHA256=55E11F947AD6DE0D1026598498086EDC3D6A173467D687C29FC5278DCE1BE7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:00.709{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D52738CF6B2362AE32E302171421DFE,SHA256=0D10C8532E55395B1D888E066D062A90981D430B90320A7BB966300905971AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:00.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF8D7B959D1EAA128E2EEDCFDB4B95E2,SHA256=86725871387A421D0CF783AE59BF652F7AE210F20F9A17BCD91DC4B1F7F46CAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:58:57.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51645-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:01.663{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C295326ECF0B1AE3989030B09900CAA9,SHA256=ED8D2ABB7B61157FC35E68221735FCAEA15D5A8B973CDAA29536F2A7DED9E4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:01.724{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AE853347620DFC7C291A59435037EA,SHA256=DCF5388BE947B5966C3B2C559234095061B12B645A7715E4F9063847F954B173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:02.740{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1898582A89ED1DEFB02F29A823EAE15,SHA256=18046C4FBB8AE307F1752D2EE401A2DD940E1AE5FAE30D22235DB99FC1D6C55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:02.678{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9C7359D29C51CECF0B22A7C5D9F4E,SHA256=1A3D881EAD5FC48E2DBE0DA02FABDF3F23FAE8F221CFD4551DE51DF9741A8058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:02.178{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2AD4F86155ABCF10B04D701FDC0D9428,SHA256=75A481E392636FFAABE590093C43A76398E6DF4AEE6160AD5DAD60CEE18CEC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:03.756{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FC52574DF2AC7CAD229B50BC7BC01E,SHA256=017A03C5CFCDBF43D89449548735C83C8E7FB84DF17F1F55424F5F58850A7346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:03.695{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C85AE86191F065ABC1ECFDA33E6B8E,SHA256=AC5E3D439DEDD8072BFF9733FD32C5782337C3AF83CA1D93B1E92AAADDB79329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:04.772{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1655BAA7966F1823B98AF5295653461C,SHA256=CBDBAF7BC186C1CF1058C7F341861F2C0CB24D70714B4F94FEFD10542BDAF3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:04.714{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D764E47EDDF89611B9C52A8B0899F36C,SHA256=DD2DCD9580E4FE36AE7684C82A04028FB91C00E0F0BE2DD5013CF22DFA048ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:04.115{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:05.787{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB41E36AA0BE85A2A0626CC2BDBEBB,SHA256=9C0CA051AE39F8180B807930DC474179646905CF4FA3DDE5D1306A0051DDEF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:05.729{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D356BF6B2C7AC567456661EDDAD814E4,SHA256=C65C93EE0C744BEDA182DB1DDCBFEE75CBCDEA0F769D675530A589181A93F120,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:02.564{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64539-false10.0.1.12-8000- 23542300x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:06.803{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002C51B56FCD6F58FDE3576D4196E4A2,SHA256=9330E67D60D612BE6686B0AD0BC71CF325A84DCEC0C133FF503A699D74481D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:06.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8B5CF5D24AE0E30CEE5D3787145D59,SHA256=760E6E8188B26600DDF2DAE037132EA03076E0806DCDC17A70463E2280569B78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:03.870{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51646-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:07.775{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD424A6DD2F534E7D7034697A067F8E,SHA256=B39387E3AC65A3FAC84B91BCADF39A1CDBDA6A3599081D264227956BA1C2A911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:07.818{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C689368BBDFA03320BAC3DE5480F2A,SHA256=7A1F2B0BFBE14373DDAF67F3850ABF2A1C9CF6259F265C31CD4ADAB19EC306C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:03.901{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51647-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:08.834{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22EC7F2961405A618B4D69BBF723E05,SHA256=FED7342E36A82550AC8BF6E84D11BFE25A507CEAEA6D8EC8466CE32A155C9E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:08.792{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A757CB43163FAF81450CD676E7134E4,SHA256=B53DD4F633411C1700E66C3A64009BC743D3C413F48D2329D8564C6FDECDFC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:09.839{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4FBA1CEAD703F65873B32E6A08C11B,SHA256=7AB75DF725D7EDAE3AA027200F8022D033818AC0D628B8C31EEC488E7C16E021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:09.812{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1AC74B4FE801530D9B9B65DAE23E1B,SHA256=6BC5E97C82A6052535AEDE173D13D010067B235B757DFD1888FDA9012A0686BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:07.240{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.79.73.243-61851-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:10.948{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574EACC9075AA2FB5EBE87460826C776,SHA256=0B08375734793235B9BAF3E537FAA12D9CC4F94A5EDDFE3DA8461C801A5BF597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:10.827{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A9786C3DEBC72A41BA2EA78BD4A62E,SHA256=F0A61B4E16F98DEED889AFD89ED8FE44BB10AA9C26E6F902B0EE281A7E4CDEF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:08.999{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:07.693{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64540-false10.0.1.12-8000- 23542300x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:11.979{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4666FCCBA1E46933F9991CE9B1BD7978,SHA256=BEB961B1EA4DEF8C46F59A0249F17B80E374EF775142FA0B0969123991AA4FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:11.857{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C36002288C1A32D53DBE68049E022E,SHA256=5139EBA81D55F9FEC5E2BA40147CA42BB8A3E155373AF27B30D2F29CAC015507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:12.872{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BFF521324A37C42CF91B84AA13B5CA,SHA256=1FBCF444951AD1EEBD63E0C651DB9A9F68CAF430674CBD2C18B79027F51E037C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:12.626{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7DDED78B4D3DD1FC43C3C3BE57C841A,SHA256=F67BAC185688DB450992E5DA73D78CB1BF525F5B40CCC14711DD6DE929447505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:12.626{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C1422081D8133EA31DE98FB62E8906,SHA256=3C863B34C07E9E0A2A42E51D53D409207F832AA2A9FF41E17337359074475245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:13.892{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B4686A6A99F6EB6B3F3AF6CE3E540B,SHA256=CFA2227F605BF2D7A9A6EC69C71656A37D3AAFCB1AB6D98AA63A9302874E0E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.854{82855F7C-5C01-6112-E906-00000000E601}13082432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C01-6112-E906-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C01-6112-E906-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.682{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C01-6112-E906-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.683{82855F7C-5C01-6112-E906-00000000E601}1308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:13.011{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24FB8126C6B204917DBAC5A354214F,SHA256=6BC38BF77FEF7685270FB84B820DE9A0143E27C5E2CCA35F4CA3546F46F972D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:14.909{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0779ADE353F87BE79C171031A1BD75C8,SHA256=44FF6EE8F0F17E8CCA2546878B4890E723B5A2EBDF7B2D84244F7C4084BD37FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.917{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DBC02CA01485495C1D117852437CE5D,SHA256=5056B5E7CE14DD8317C311133D2CFDFAE41CCC95251F4C9E72C7967102888458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.917{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F705B0C0D7C538096C4AF429144CD6C4,SHA256=6152FDB0F2CA513422095E6F6B5A4701CFFBE60CE9A2CF5618291BEBD222DD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.886{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C42B61BC0A9A5F0DA5062D6275BF25C0,SHA256=0C0D63D487F438A04F3B3978641798536EADC22D2181F1484A1BB6710148F116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C02-6112-EA06-00000000E601}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C02-6112-EA06-00000000E601}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.354{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C02-6112-EA06-00000000E601}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.355{82855F7C-5C02-6112-EA06-00000000E601}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.057{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96448A558EE39C9C7D98F835B0AA697F,SHA256=0F0FFE66E6B5B95B278FB6713F790CF0E875A1BA5222BD0FC4C80FB7951CD8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:15.925{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEF1A69FEB6AD9F2A7392795A5179E8,SHA256=FAA59D2A463F2873F276016BC3635162D46A0A8403E170CD373A67D345FC1071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C03-6112-EC06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C03-6112-EC06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.902{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C03-6112-EC06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.903{82855F7C-5C03-6112-EC06-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.229{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B781524124C0414AADB24F2AC83EC545,SHA256=697C4DEB8A0864C804B9BA912291B8FABD0841D1CE81FAB7A4A51FA9586BF805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C03-6112-EB06-00000000E601}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C03-6112-EB06-00000000E601}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.026{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C03-6112-EB06-00000000E601}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:15.027{82855F7C-5C03-6112-EB06-00000000E601}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:16.942{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BAC360ABC8D65BFF622D34896F201D,SHA256=C3B6009959F305A96E51EC09800C70B97A96472C12D835FFCFDD382B57C565AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.715{82855F7C-5C04-6112-ED06-00000000E601}10642200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:14.952{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51649-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C04-6112-ED06-00000000E601}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C04-6112-ED06-00000000E601}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.574{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C04-6112-ED06-00000000E601}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.575{82855F7C-5C04-6112-ED06-00000000E601}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.230{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975C918224308A47DE58B2841CF72628,SHA256=E52AA344833F0CD23E31CFA8F03B701E5E94E6D02A309A139D92680CA1F61193,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:13.659{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64541-false10.0.1.12-8000- 11241100x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:16.309{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:16.309{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=6FEEE053C01EB5F9CD1835B45B566C6F,SHA256=DDB6202957FCDCF0D849E2DDB9F5908CC73BAC7073C56486F9F5D80C7D3B3122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.090{82855F7C-5C03-6112-EC06-00000000E601}38243836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:16.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DBC02CA01485495C1D117852437CE5D,SHA256=5056B5E7CE14DD8317C311133D2CFDFAE41CCC95251F4C9E72C7967102888458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:17.957{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135A4E2CA492BED69C2851CE5C643615,SHA256=63699DBA02202A82AB39433094958F6BC0C2069E9850FBAEC13EA87C14ECAB74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C05-6112-EF06-00000000E601}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C05-6112-EF06-00000000E601}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.918{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C05-6112-EF06-00000000E601}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.919{82855F7C-5C05-6112-EF06-00000000E601}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.637{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C2C23B144D548B723DD06AB25DD0D18,SHA256=1FEEA7CC9FD9C16E4F427F68350DC154241F560D11038F84794B21FA9B1D50D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08EC165886C0B51DDC64A9BF398ADA2,SHA256=EE357CE2464277A5E255A2B837D5B899689ACC3D5FB5FAA9F16A96A4B1619F73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C05-6112-EE06-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C05-6112-EE06-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.246{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C05-6112-EE06-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:17.247{82855F7C-5C05-6112-EE06-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.972{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD26EEA44CFA97C4C036F29BF1AAB57B,SHA256=FC5A8D8B73E16161FB4A419833627E882186F7F68F1C5B2429AADA844BFB0311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:18.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95E5FB1123516DD23CA6A7B31C1AC4E2,SHA256=91CCCFF2A5C8FB5A9D74F6B2C61C3A65F33BC9F1DB32A0241530825C8DADF633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:18.309{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.656{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.609{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.609{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 10:59:18.609{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.66.150168239C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 10:59:18.609{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.66.150168239C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:18.077{82855F7C-5C05-6112-EF06-00000000E601}12243692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:19.993{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B2DDF00AADE99A977E419ADD954127,SHA256=2FE3C3A54F1EFF6A3145FA3C6EBB74502FAC623B949F3DCC72EA431438C3CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:19.324{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899C50C19C947F3D49F33A86F3769A38,SHA256=7606EED08B0173AE6863FC8195A310B7FA3F0C4FB44DF4E1C24987148FACAB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:20.371{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D979C12399F21C3B02C139AE6726FC71,SHA256=24A8775C0DE94EABD957750B7FCBF78B5B1C24C6B8AF698CA3181EAD4972A61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.107{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local55845- 354300x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.107{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local56066- 354300x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.046{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53395- 354300x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.045{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local55817- 354300x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.045{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51129- 22542200x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.110{82A15F94-3D89-6112-C804-00000000E501}6460tpop-api.twitter.com0104.244.42.130;104.244.42.2;104.244.42.66;104.244.42.194;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.109{82A15F94-3D89-6112-C804-00000000E501}6460api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.194;::ffff:104.244.42.130;::ffff:104.244.42.2;::ffff:104.244.42.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.048{82A15F94-3D89-6112-C804-00000000E501}6460tpop-api.twitter.com0104.244.42.66;104.244.42.194;104.244.42.130;104.244.42.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.047{82A15F94-3D89-6112-C804-00000000E501}6460api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.2;::ffff:104.244.42.66;::ffff:104.244.42.194;::ffff:104.244.42.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:18.047{82A15F94-3D89-6112-C804-00000000E501}6460api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.130;::ffff:104.244.42.2;::ffff:104.244.42.66;::ffff:104.244.42.194;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:19.953{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:21.387{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4D37F77EADFFCE3B46A4D026834173,SHA256=7DF4A74EA8868867D1A445F45C27A383B05ED18A9074433C26951C2F46297F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:19.674{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64542-false10.0.1.12-8000- 23542300x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:21.039{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA45CCEEDA3A750BEC121DE022BBFF,SHA256=27F9AF2007617302C959F0F0C7256DF9583442FEC676D03CB17214E7681509E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:22.054{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB3186309A6212509BBA3271F17AFA4,SHA256=1026E7B258653F63BB05FBB17A325FB49843B4BF9EA312CAC98F567DA0941649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:22.418{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9155BE4F32604433B8DABAACD7B6FDC,SHA256=5AA8C4D55D501267F6062706E287E36E1460CDFB4ABD248927A3AC7BA2637DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:23.480{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B856C18DEC55F766311C401885C0467,SHA256=353C04E6B8C8D8A7D179F5AFD63981353C0BF382115F8FDBEE5CD32F5A284C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:23.070{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C688658A871FE05C3C1E9A5388286CE,SHA256=3836C250D9614AFC4DE3BCC41E00F49B850911AAEF8D50C8FDD1FE00394384D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:24.512{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41A72E7EB5EA477ECC705F91B3BB823,SHA256=D93C9A8CC853E202A65C265AA15CD3D4BFFF35998240C22E41C8F7227CD7492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:24.091{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E44437C0E101876026DCCCDAA0AF1F5,SHA256=48A8B24B6EC21D4DE3F8467D3A6A34AE21225C627399D8628F587AF40C60AC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:25.527{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA67A89A21D0B0B33D705479E759DE3B,SHA256=EA998A55A81BCE18288A68B9C05E94D83406F5A42C921B58BDBFF025D6E599D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:25.106{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079712BA31AB5801CDA6F28C702C41D1,SHA256=AFD7EFDEC6986252A83FDCAF5ADCBDD6BD870DB719F516291A1F2E56E06A79AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:26.543{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17264B9740738E094FF485188D3352A6,SHA256=A71FF9582624F4C2CA0B38333618C69B33E1C81C51A44C55F3BB31E3F8723DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:26.121{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7F6C60C5116DE4DA849C3225313239,SHA256=01A32DBB1DD14220B137DCDBF12855B9626FD8DF53499C051F5B0D6699412CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:27.559{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7C2D1A21F0C1B057CA257E906629CE,SHA256=30A9E94287941864533F69B70756D2FD31A80483B7E3EC369F6F8C12C4F7DA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:27.136{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9080AF6A34B8B5E9BE1154BD98F910,SHA256=6880EF9EE0ECC8C89A5927739A4D9905ADE45B8C25D73FCDA8A39A4D5BD8C723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:28.574{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9054E20736334C0F23A03AD4912799D,SHA256=64D80CE30636B6C8E3D5E19526B93CDE100B28A6E7BF7F165991D3628EAC74CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:28.851{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A224AA2EFF30FF5A89FD0D6A8BD96776,SHA256=B1AC1F02549CB760E16579073B2E4E218826995C2931E6A7AE8C188D346B3CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:28.151{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE0E25DB07D40D198DEE7C761FCFD5D,SHA256=3BC9DAC74AFD2E6FECE7E4A8E63E8929062BCFF4B63A2D797638DA985A4BB5C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:25.953{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:25.555{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64543-false10.0.1.12-8000- 23542300x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:29.588{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D526F3C804E0E5EA9CC46C2E25A14B,SHA256=62AE023D67B5703DD2A0CFA15D1DF5B6183C5ECC1577A7D714B7D023E040C135,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a5b13) 13241300x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dce-0x68ba98f6) 13241300x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0xca7f00f6) 13241300x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0x2c4368f6) 13241300x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009a5b13) 13241300x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dce-0x68ba98f6) 13241300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd6-0xca7f00f6) 13241300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 10:59:29.703{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0x2c4368f6) 23542300x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:29.185{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3EAC490B9FFAD448F1EDEC141D344D,SHA256=7B9DE6AD30A8B4B609FF2CEB2E4913CE77A8A9C469D8A12A78EAE18E572A201C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:30.604{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91678D17013A30B1060E28478238A0F,SHA256=498833CC89167A7B6B952F6898AD4B47929DB0C3F8DA7E25CA1863A336034C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:30.665{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:30.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB6B5547F98ED2F178F46414EA6064,SHA256=474FAC0F8220D42A34729D98EDBCD394CB3E601191C8E0E2E38EF86CE7A184EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:31.619{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D937232AEEF1D6D57E54B9B92A6CD1F,SHA256=BCDFA7D0299180C20587A9414EC906BE808116B9378CC81443150967B7153F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:31.249{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A2332C0727A5FBD90876F644EE372B,SHA256=00A5751FD97A5643F71697BDD75507EBB1E8CC4D1AF5D9FB0A01F1546549A304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:32.666{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5E5E607FC0E87AD14CC9E79364C370,SHA256=A839FCE1A7181D9BED83F12008354072D6B894CDE26FDE87BE17661A66AC7162,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:30.614{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64544-false10.0.1.12-8000- 23542300x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:32.250{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCD4FFC182B2E5F308954BBE6E56874,SHA256=990AFDAA6CC10CD78ACBCE752F311A74C1419E9AAC38FD1B8387BC3F2E073C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:33.697{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB47EE8BC24177D43FDED942D54BCC6,SHA256=D557C1FECE35887CD87083497437F3E2C79BD3051AFC86A92A8B52D273779785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:33.818{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:33.250{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E376F92F9E00A2871D57EE9B0016C304,SHA256=A88F6117802219F39A6E648BFD5CDFCA60F6FC003C973CDB549AC9D86B1145EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:31.858{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51652-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:33.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11FC28FECF6C2D5851AB6985DAA5DE35,SHA256=53CA3999303A4DFCF515CF36E3BA3115B886D2CAA845E0997EB2B11C4EBC8188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:33.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7DDED78B4D3DD1FC43C3C3BE57C841A,SHA256=F67BAC185688DB450992E5DA73D78CB1BF525F5B40CCC14711DD6DE929447505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:34.729{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E38D7D842D0BFE2E17097A5716862F5,SHA256=3E2EED7C3E14C109F4C69615049C4F5B2A378F64543F2C55709D244DC2B5CFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:34.265{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3CC06BBAD2EF51A46438E21C8257FC,SHA256=871C5C2481026E5B89026117F8787126752B44434C4903D7B6D981C43D6B030B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:31.482{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64545-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:31.482{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64545-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:35.838{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BB904FA7A9471552F612016CBC6181,SHA256=B7909994533800FA9D5D850C6C72DEC80E732C6401E81CD0E2BCC50B46D60FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:35.282{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A60CE45E3FEB5CC9A66AB39DB147D92,SHA256=DC6AD95E57C77D46682209DF171A3B0EDDF1691972321204F2AA0F64B957CDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:36.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EC3767DC1AEE4B6B05F9E6F2FF0B18,SHA256=4F7C0130930A7A12FB9145638EE49D5A3CEE1718F287C9E24B3AC021121C793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:36.301{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E45B13587D41F121555811D9031F91,SHA256=5B58B71F9AA4BE8B22A2A0E58EF3B2CF01FEE89CA5FC48F14FA014E0511D625F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:33.215{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64546-false10.0.1.12-8089- 23542300x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:37.932{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BE4CA996BC8740DF22047109C2A36F,SHA256=38893CE453310AD44BD920EBB49E93D40C5755670E4911C91E696D44967471D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:37.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D0625F0F24C8F0CDB821647DFE7DB5,SHA256=AB3A0CC7F52DBCE6102184578045A4049F351830003E8F5F75C7EDABD9D36534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:38.947{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AD3C48C725B50E3389B37AC05D66D4,SHA256=23E003D9B2896EFAA5428045CB54972DDE22951C7E7BAD3F9FDE0F43B779202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:38.347{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481C55DEE72DC58087258EE910EC299D,SHA256=C735257D617C952CDEA7B8A062AE66D5F5FBDBDE52614FDFF3470667A4118D48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:37.014{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:39.994{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738866A52B70B05EDF8821C21E2D3702,SHA256=E42A52FC4C2E45A421EF9514D958E0B9081D4EC643FEC7BF651A77912F015F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:39.381{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1D2B5F6C17E36F1CFA567FDFF39AE9,SHA256=7DE6B6DE9720E153192A1D596EFDCCBDC9DBD7E0297F00469DF029124600C3A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:36.535{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64547-false10.0.1.12-8000- 23542300x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:40.399{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023E933F65CC65C80AD7E711115A7B28,SHA256=58BE67DCC760FC7F05235119003FFA48D3F40C5D68AD4C8BB99B8702F0A0A213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:41.026{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B574B271FE53CE7E550D97A32F3B271B,SHA256=724B8F1718C33B764D68C634E68B19794022E179703994F3C934D81B91FFA3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:41.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06F5D7B885FEAD4B12A34DD3D05967E,SHA256=70EA69EBA91AC9685388E5EEB33D7787B97D7A4A57FF655B03BBE83645B09F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:42.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF61178C4957D87F994DFDFE21CACB81,SHA256=E53E48EA0198754186728EE7F7023FA016EB40995E096B3BFC7B14E288270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:42.437{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD522C61BF53096B0B58856BD92488,SHA256=8B5246BFF2259E01D1D89111DFF53DA12922A26CB0418ABE62D1087BDBF412D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:43.452{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924FEC2DB1B118CA0B26ACD8AD2D866D,SHA256=8BAC5EB178B06B5C2E9214F8636933282743E8C8C5F51CB64A99466CC6AD4B65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:42.014{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:43.119{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EBA6AF25DA9BF6398DA7D800273134,SHA256=BE33BD465432EA583C12E3AFB2C4D55E6D11C4A9B8B67F792957BF8D1760269D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:44.467{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00306386BEB345A6BDB1C85EA0B67F3C,SHA256=5F91ABDCE39AEFDB492EA7CAC29555D15032378CF26A9C678EB761D83667226B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:44.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E919D390F3B276EE5DBD57881EE5E085,SHA256=9CB055ACA0C128D834EEA884929D618555717343ABE57BD7994DF18300EDB0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:45.484{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13530EEEB65706CDCCD4240B721910D7,SHA256=0A87989840886B3E1C66496D559E9FCC4A4E624EBADBDDC2376733604BDB1EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:45.151{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3153379F3A6DF074D4C7EB9EAFFE33,SHA256=8A6E5A23A9325F94A8B7A9926556181B27D8900F5F9FF0705A078A7120FE6610,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:42.486{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64548-false10.0.1.12-8000- 23542300x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:46.182{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE359403DF675EE081E80E3D57FFBED0,SHA256=C1D663E5D7E2AD1E008B7006BA7C98CE17AF2FCFEAD2B7A03E6C82A5548E92A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:46.490{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C079427FA1EA41797A302AD3D0625A,SHA256=BAD917CAD0A60E511CD715E5AAE8D8004630B8C778DF88F749A074B94229AD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:47.505{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937C99A9771BCB72460D602A6F3F07FA,SHA256=EE30B5CE84E5F07C14948CC010BBF43061EEE10E3516CD559702F04B49833BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:47.229{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB9225D0CEAAF347191EA30C3FD3A5A,SHA256=27C254FE928CD4DA640117967C41BB3B66556883D545DE348C3D2A36B3F79E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:48.519{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6868FB5B5EA9178AFA950B849BC106,SHA256=F332C82CBE82FF8DDBDB3A5725966113F81BC0455FBFBCD949108A4FCBE8EA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:48.244{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D1F64971096A567FE43E89FA4FE98D,SHA256=FA169C81BE79EEAAC9A64FC0C1FB4A23D5450DEA32C91A9064EA6F879DD30701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:49.534{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E243C2E3348AF3E4D15C714FF36908C,SHA256=6FD974CD763E49B1138C750659B1BD911474578D8FAB20ABB08692AAD2878ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:47.857{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:49.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9532F9F6EB02854480909229587319,SHA256=7B7C1761572DFE8768C2A765F25D6D3AD53FB4FCD1774ACCBBD19F1E3FD16122,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:48.515{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64549-false10.0.1.12-8000- 23542300x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:50.535{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D474B51D656D8BBABAB6F2D136A73F3F,SHA256=FF23AA978E55EE6CBD5DAF06A721E2094F7B433D8C058646884BE99F17853A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:50.294{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303871F8D6949753955A6EE373C2AE25,SHA256=57DFC4007DF53BB902D27A39BB35799E999766841952A0E5DA5EDB80CBB28BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:51.326{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55059B707C27A895BAB104996C1CE724,SHA256=A0F167DC3A390FF9C70EE748340DEFAFC4357484A7D2BB8BAA1AF59D224D3C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:51.550{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CFDEAD5902D98096D843FBFFFFC1D,SHA256=682A1E4B6A55B5FD2FA87FB9F4DD74F1F536CD3D9303E159B7B182FD0E7167E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:52.565{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C2630ACD9177EEA930E9C6857C146E,SHA256=8B0B5B9F5AAF5E64361E1D11D200DE754E5CFB6A99D1A93D053FC0BFBE8D4E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:52.357{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772B5BE57A8E4CF249E32231FAEDAC51,SHA256=28553D96417A64DB786ED4A0691F36BEEA4312594B62C3F34CBC1D07654162CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:53.718{82A15F94-5A68-6112-4A08-00000000E501}1104ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.bat@2021-08-10_105946MD5=371E661C46C5C1843FE79BBC69F5E5F8,SHA256=C7256FFF00532356DAA6DF4ACC8B5CBFBF2063EDDA2050B915BA9ED82A2FA525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:53.583{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8086ABDED2B07109B3CE0369B88EF590,SHA256=CF31FB91F836B1D4C8FECB9BDB943645D03EE6177B49D08853AC3B26F5E7B06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:53.388{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA4732DF11F96D2EBCF25AFFEDD4EDC,SHA256=AA09389CEBD15B84A01E40B834A81AD016459C6AED8C15433BF80074E177DB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:54.602{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F493630E9FDCCF8BC16239289CDC457,SHA256=1AB4F03D2FC1C80BD798B19867FC5C29BB216B50DE9BA4E46C9DCD6E94523B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:54.435{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5198F9F55F714E12B030B767A207E3,SHA256=1FA9E909C6E6779D607608A794F97E1CCEEC1743C6172E0D35F148B166456EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:55.466{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AF1E5B2C81575B2EF659D4C4FD54A8,SHA256=C1095EACD2B96AC09F31D1A42BD6A7CDC839CDAF5BA6A46A2B0E9DD8BDA793AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.985{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2B-6112-7E08-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.984{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.984{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.983{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.982{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.982{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5C2B-6112-7E08-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.982{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2B-6112-7E08-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.981{82A15F94-5C2B-6112-7E08-00000000E501}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.616{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EF54606961E995584CDF77E43BC64B,SHA256=336A8C8B1F2E74799B4DE0CB32FC93BF43C2C63BF408DF0DAB66CA3C7422B17E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2B-6112-7D08-00000000E501}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C2B-6112-7D08-00000000E501}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.317{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2B-6112-7D08-00000000E501}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:55.318{82A15F94-5C2B-6112-7D08-00000000E501}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:53.001{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:56.480{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96A5E083DAE414C76E60A1030CE1BDE,SHA256=FAA885EE7CDE196E57E2E6727EEEEC86218FAB01D1CEB7873A31A71A1B853917,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.917{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.917{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.617{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E1B736C469FC0E4C22D4375EF2E7F4,SHA256=5B01217E632DFB5EC9E0AD6C2B7D92DE8FFEE34E3E18C0DD822C32BDA4483A8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.585{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2C-6112-7F08-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.582{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.582{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.582{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.582{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.581{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C2C-6112-7F08-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.581{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2C-6112-7F08-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.580{82A15F94-5C2C-6112-7F08-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:53.636{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64550-false10.0.1.12-8000- 23542300x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.363{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B70B4564167C15184A10EFFF07FE32D,SHA256=1F545670C41A7394EF18C3AB2B30B26CBB75FDA271841385FDB3D7B70F4E0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.363{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11FC28FECF6C2D5851AB6985DAA5DE35,SHA256=53CA3999303A4DFCF515CF36E3BA3115B886D2CAA845E0997EB2B11C4EBC8188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:56.147{82A15F94-5C2B-6112-7E08-00000000E501}69767104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=5341FCB7E0C0050F265C0CFB8A38DB9D,SHA256=CE0C4A745943E156ED5DB184EFD4F016BB73D5D25F50C33F5062E3546BF88156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C0539791A18FE0033BC626B93E8AAEE8,SHA256=E6466C0D6C85B2A6426892BFC6ED9614448CDE2C65944C8E5CDFA8100D2BA72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=CB47C5E568EF613EA27C41DE3F19D183,SHA256=10FEB8571EDB1457A73B17D5527EC47ACAB645FE177C8AC40E43D16478F465ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=543C91A8924F32E177211EEB16BD4B58,SHA256=FC5F833074281DD5491787B2CF0248BB2AF5B751F068F3B5CB8CF66F86341D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C6AF5F6DC7328CCFC216CCE6A75C3660,SHA256=3ACD3D0ED698E0292474170CAE58F2F024C6E3CF74DE5DF4441685B33C9643EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1D67613A504901152AF5421A1FEA4A2C,SHA256=0E90CA21E6BAEFCFB3F480647390F0236DDB996CBADE88BAD9F50BBA1C2531E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.648{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=989D9E701262A3774577B82DEC58DA20,SHA256=1B0A7CDE73950B930C020DC62A7A1A9DF4A8416896DDDBDBDCEEB7C9FF1B1B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.632{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6476A75AB24AA6A162FCFA76EF87DBE,SHA256=A088FB7473C9D5757A3C430DDC7AAD5ECF395083187F87D9B170464A4C14582C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:57.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C8ADD0E178A953FBF7EF30E5D98DEB,SHA256=BA8F7215E977EF9FA168163523010FB6685E2D6A0505526D931AA1A6C4E39C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.601{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B70B4564167C15184A10EFFF07FE32D,SHA256=1F545670C41A7394EF18C3AB2B30B26CBB75FDA271841385FDB3D7B70F4E0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.548{82A15F94-5C2D-6112-8008-00000000E501}68883604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2D-6112-8008-00000000E501}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C2D-6112-8008-00000000E501}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.401{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2D-6112-8008-00000000E501}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:57.402{82A15F94-5C2D-6112-8008-00000000E501}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:58.497{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90951725E17F5BE6A75D5BEC77CD61,SHA256=3D935627ED933266FF45AAE7E0C995F2E7DE4CA98067FF2ECAF6C3E314B4D1D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.847{82A15F94-5C2E-6112-8208-00000000E501}14766000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2E-6112-8208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C2E-6112-8208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.700{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2E-6112-8208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.701{82A15F94-5C2E-6112-8208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.662{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC3D5719DBAEB80DF7144DF41BCE52D,SHA256=7B2273A2CBC4D41F8C283AD5A5716A5A52D2D1CB59BCBD09496F3F9792641910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.247{82A15F94-5C2E-6112-8108-00000000E501}45925684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2E-6112-8108-00000000E501}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C2E-6112-8108-00000000E501}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2E-6112-8108-00000000E501}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:58.032{82A15F94-5C2E-6112-8108-00000000E501}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:59.513{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A1BB4042F62431A8067DA74C5E4B2B,SHA256=C30B16CBA22393B725E029A05822C6499F8F7F4296413B66253CFF23C23BFC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.664{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB5D959EB69F4C703ED5E71EB2F7526,SHA256=EB9CD92D1F85B53059E6E86D2406D9BF9BF6C0E5AD1C41ACEFA338E2EE9748D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.383{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C2F-6112-8308-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.382{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.382{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.381{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.380{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.380{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C2F-6112-8308-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.380{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C2F-6112-8308-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.379{82A15F94-5C2F-6112-8308-00000000E501}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.047{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F92EE33A7CFBA59571FFFFADEBB9536F,SHA256=45F958495AF898E9A39C89B1F78DBB5AA6B321C879162C67011F2B67BA3018F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:00.529{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3732D53578B53A2778ED781E2A1CF91A,SHA256=DA645B4F87F61B9F0BB0FBB965347991BD8B278BCB94812CF909001256336DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:00.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE11F7CFE0007C8A1A9AC8A71406CBBE,SHA256=CBE01AE070DDE1C8CB28C16B607A4B02F882B78087195B732B997A907A691CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:00.381{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D843F67DF0559631B6A7551042F8DB,SHA256=BF1FF06DF5B02F3C1293F1267A10954E9DCAE5B7B6BF69AD527B4E8A215CA9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:01.731{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6228116713E0D6FF68CC5A7785220BB6,SHA256=830806A61945643E69E7F19A3AAD37D96DDB0DB85E04544B1A997F3CDA744B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:01.544{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01FA11386D4A54C1FE8711204197C05,SHA256=2140E5787C5DBDF708633AD8CA37EBE8E55228F391FD5A306A38E792EAB97421,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 10:59:58.892{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 10:59:59.597{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64551-false10.0.1.12-8000- 23542300x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:02.733{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF9FE521674D7C3E3B02DAD2868AB3B,SHA256=DC8726982242DB5CE58E0B57F9FA0B19C814D7EA165FF90B8AD91F6C7A64715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:02.560{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7411D7D9AA9E8B906D19BE186BF217,SHA256=09F35EAA03592F0512EF45769C342DE4744CB90C09C87557441D3BCDD0D0B60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:02.180{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9FB0B21B15567BE9DA8CB87C72BC554F,SHA256=532138DA7DB15F89A1B3875F198C43ACEC2BDE638D43210FF7DE90AC5ED046AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:03.576{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE165AA0B79B61073CDE26A84AF005,SHA256=E93ED4C58B2E6CDCF3CB884904C5A0E23A74BF32F18C45ECCF48E55128A24101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:03.748{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE0B287DFAEE66B5F9DA4EE8FAF0032,SHA256=8036D03971FC61E623799407D71DDB7A1D395DA25DD5BCFCEAF60900A4D09EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:04.591{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ACE27C47E7D025EDB53C4C0FE1B230,SHA256=59CC6096BE16507738F4B9CAFB63646789CD221D3E88787DB298027E77B448DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:04.763{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5A85ECB1C3FECDF5FB2A58C1A75A5,SHA256=247B3FB95055E08C05B7D0AF34FF3B5AF39DB1A80A1682ECC091CFBF3D7DD444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:04.138{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:05.781{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C7711BF1A0AB5A40987ADD5D915917,SHA256=99E4AEBDB4A65E20672196E0B686CEA089751FAB46203D53E9E394A94582E64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:05.607{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647582C9F4BCA72678BC74239B185454,SHA256=399F6A8FFFDA605B66817F35BDE371DD4BB9582D2ED74EA2BD6DB0E96F03AF49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:03.892{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:06.800{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F631F5C7D90D49603DDA5477999BFE,SHA256=CAD093AE51B97E8527A1D47B6D9531AAC4490AAD5054F459CC7FCB414C8BA118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:06.607{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B97E12EF0655FFF50B7D709DB851A65,SHA256=97AB849F0327A028DF677D1B739CE922B98F0072C78A7FD33D7555E7D0A11776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.815{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68381FD11D2842FFB8CFBEF8FA9F2A03,SHA256=D3F2B3B897F18F133B171CA4FE01E0C21E64E0E804548E25B49D3ACFE44CB98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:07.622{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E381C16F715C0625250A8E3035A538B4,SHA256=AFF8EED096445B55D7DEE43F44644B2D33EE1CBEABCD8414F136D6300BA40AFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.162{82A15F94-371C-6112-5301-00000000E501}7606620C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.162{82A15F94-371C-6112-5301-00000000E501}7606620C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.162{82A15F94-371C-6112-5301-00000000E501}7606620C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.147{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.147{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.147{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:07.147{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:04.877{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:05.634{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64552-false10.0.1.12-8000- 23542300x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:08.846{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54F229E8C589012C17A0584E99F6F7,SHA256=172B564C9100A85D61AAEC14456F7468229BA78A0FDBBE722B1B779A13611724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:08.685{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5AAC863393F1247E239AB076F2742B,SHA256=8F7F5F71C4352C46F8D4EB3C802299A3B59F24175DDACAD943061840C953C3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:09.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7814DD30FC2911F10AE75455DAADA585,SHA256=AC2767FBAFDABC6623923CE798A82E3C5599F3E559EBD4E04FD1986A71E2C735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:09.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF7977F4C9C1444A8F21FCC5FDDABA5,SHA256=2B4906E513FEB5DBF7046F5AA691E6C562134F5E0DB9BE5CFE1A756C3D4EA365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:10.879{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB98F3B4DADE8F50A4A896CEE299DC8,SHA256=3849BCB46156177640AA2466521BE46669C61717D89C9658F9F1A787F1747B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:10.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68B4FD8BD293CB481DC9C055487932C,SHA256=791B9218460EF7C117264A7B989F7D9E3ABA7CDC8B4AB20F021145419CE6F4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:11.898{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796B090A75229B476D64CFD3FDA4FC18,SHA256=A72420B472171AB216357BF3AF059061FC4A971EF460226D4FCEA386D8663787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:11.752{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADD375A331F0794DF1674BE4FD86927,SHA256=64C5D8CBBAB8685A14E64E2ABABE749973C4E16FC4968A472EACD12E37C1579E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:12.913{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16F507164DE682E98C1482D4B8BEED7,SHA256=BF3B875CAF39B504DE734CEFF939E88799B0079BD50F3BB4095C371E4EA13715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:12.799{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6FA5A63B84C7FAB1DD6E65AA9F7D3,SHA256=9039520536091287A5BD7B8FFE658B24FC1738B82C41187CBB08044B9D185041,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:10.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:13.928{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BAF19AE915B6CAD723C565F55FE063,SHA256=FAF9EEA3143B848E3F5E9845823EBADA5327967472ABD05D27B476AC80B8EA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.830{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50E5D38DAB92B6041F0297B94CA706A,SHA256=A3E00371135F2D585F8A7B275B978ACAA785D8880FCB855C037B3462FB9803AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C3D-6112-F006-00000000E601}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C3D-6112-F006-00000000E601}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.690{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C3D-6112-F006-00000000E601}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:13.691{82855F7C-5C3D-6112-F006-00000000E601}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.893{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F34498B904D8A2EF7F02FE713035DA44,SHA256=6C8E88BB1AAE703754FC5EBA7B86E5A8F05BC4A8A29559F516D337B2709AC3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.877{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCC1F900E7FFE21311C01A219606C6F,SHA256=746C7C79719BF58463E747F4E409FCE6ABDC1BFACB155231C0D91F1B19F36E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:14.958{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689149E4FF11C8830D67480DB8DD225B,SHA256=9BEEE3C0D72565E9CBBD6ABABE05DD992591BFB5DD00D3EA2DFBB6FCF065415D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:11.632{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64553-false10.0.1.12-8000- 23542300x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:14.759{82A15F94-5A68-6112-4A08-00000000E501}1104ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.bat@2021-08-10_105946MD5=2A8DB33FD4EEB620C189EAAD7C6BDA17,SHA256=9D02CA349E21A4289576E14BB9AB2A9A1EB23E09CCC574E0DA0C723C510C1980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C3E-6112-F206-00000000E601}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C3E-6112-F206-00000000E601}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.815{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C3E-6112-F206-00000000E601}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.816{82855F7C-5C3E-6112-F206-00000000E601}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.705{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB6EC407C220EEA2690ADF94EAE8E6E,SHA256=CB3140BC9C19757DFCD444768B2439A25AF8DC71F2AD5EBD653CEF363244B929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.705{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998F7BD456A53BCE55E4ADC8C5B47BA3,SHA256=D3D113636F66D646F5988F25720D25DCC895FF35BE6AC75D39921A6B44FE0111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C3E-6112-F106-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C3E-6112-F106-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.190{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C3E-6112-F106-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.193{82855F7C-5C3E-6112-F106-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:15.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25D9A4AE50CB6BC755822F66CF2D40C,SHA256=9EC24852B63C28A08FA53ED8F7DE402A440A5486053680FAFC3F54AD3CC68F58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C3F-6112-F306-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C3F-6112-F306-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.924{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C3F-6112-F306-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.925{82855F7C-5C3F-6112-F306-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:15.830{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB6EC407C220EEA2690ADF94EAE8E6E,SHA256=CB3140BC9C19757DFCD444768B2439A25AF8DC71F2AD5EBD653CEF363244B929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:14.987{82855F7C-5C3E-6112-F206-00000000E601}33682660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.924{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=319BA5DC68933012D31B4AEE87BB972B,SHA256=4C11B6AD47959FB14DAA33D5EB1B3BCB9C8CF8CEBB475EAC23383D668DBF3A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.737{82855F7C-5C40-6112-F406-00000000E601}2156584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C40-6112-F406-00000000E601}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C40-6112-F406-00000000E601}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.596{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C40-6112-F406-00000000E601}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.597{82855F7C-5C40-6112-F406-00000000E601}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.127{82855F7C-5C3F-6112-F306-00000000E601}40483656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.034{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9FF7A198A34A4658BBB939AA79C2D1,SHA256=C7D1C3E84AF3B7D0C75D1F0A4CB0F7CFA1BC09E2CC924FA9F8C53F4B109EF431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.910{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C41-6112-F606-00000000E601}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C41-6112-F606-00000000E601}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C41-6112-F606-00000000E601}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.862{82855F7C-5C41-6112-F606-00000000E601}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.378{82855F7C-5C41-6112-F506-00000000E601}9002120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.221{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CE7B5BB94D8E978C7F1E382ECC8DD,SHA256=72F8308692E581E15BEFE856CACD4EB523BBC1BA29AFF61F523E566D5A4FF11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.978{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.957{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.957{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.194{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.141{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000048964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.141{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000048963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:00:17.141{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.67.120648632C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:00:17.141{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.67.120648632C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.125{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598E914E256B1455571FB64C784F20F9,SHA256=EF8573BFDFE8D96C271408AE53CDFAC506E7C3977875070739AE0BC68A2A4B3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C41-6112-F506-00000000E601}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C41-6112-F506-00000000E601}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.190{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C41-6112-F506-00000000E601}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:17.191{82855F7C-5C41-6112-F506-00000000E601}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:16.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:18.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D29B5B4E6141A02DCF86800616319E,SHA256=4E9BDE3F1511D4795A90B6014CA5D0A0FE7926F146CE611DF926F46110E54846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:18.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDBEC1ABAE1394B2DFDF5A8923D3EFD,SHA256=8444AD0BE887EC9C39E7AE5664DE3A988E48DC0F60C9690F4C28CDB10A3AC8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:18.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23840B3447531B5E523B8334763C4394,SHA256=37525BCAEC513CE7EC53BE96E7D2386E3F37CAB5442A494E2DDB8144DE8933DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:18.094{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:18.074{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:18.041{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:18.010{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:19.377{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5695F0D8015F1AD20E7788DF969D7CEB,SHA256=36593396204CB8F37D2E46853EC19E3328C8F5DDBC3E94A11A687FC464B60A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.994{82A15F94-3494-6112-1600-00000000E501}12881968C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.994{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.978{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.978{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.978{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.978{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C272F837B86EE7AC2452E187F38BF3,SHA256=DA1A4C14EF66766FA8674A6913CCDB2E0E966C1C825DF4CCBCC740F0CC1C77F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3494-6112-1600-00000000E501}12881968C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.956{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8508-00000000E501}5244C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.940{82A15F94-371B-6112-4901-00000000E501}6406724C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000049025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.940{82A15F94-371B-6112-4901-00000000E501}6406724C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000049024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.940{82A15F94-371C-6112-5301-00000000E501}7604112C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.940{82A15F94-371C-6112-5301-00000000E501}7604112C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.924{82A15F94-371B-6112-4901-00000000E501}6406724C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000049021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.924{82A15F94-371B-6112-4901-00000000E501}6406724C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000049020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.894{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.894{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.894{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371B-6112-4901-00000000E501}6406484C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000049016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371B-6112-4901-00000000E501}6406484C:\Windows\System32\RuntimeBroker.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000049015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371C-6112-5301-00000000E501}7606032C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371C-6112-5301-00000000E501}7606032C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371C-6112-5301-00000000E501}7605412C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000049012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.877{82A15F94-371C-6112-5301-00000000E501}7605412C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000049011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0D00-00000000E501}9001524C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-371C-6112-5301-00000000E501}7602204C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.856{82A15F94-371C-6112-5301-00000000E501}7602204C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.840{82A15F94-3494-6112-1600-00000000E501}12881968C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.840{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.825{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.832{82A15F94-5C43-6112-8408-00000000E501}3576C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{82A15F94-3493-6112-0C00-00000000E501}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000048975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:19.156{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5EEB0893E8E6270EA199D452A29B14,SHA256=E13AFAF6C48311209645F70FD47668F6725CB261CB143A1035B4DD12C098D1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:20.393{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FC47BFD32FA5B19EEBE0838DB72EAD,SHA256=0E50F21A58C15AC8E4AC035705510159142D4B7A905F7A32D9F272149A4ED041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.840{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBB5AEE10EF3753A0D857B39E5D933AC,SHA256=DDE46BAF5A84D8A2D1F574F2B385BC11FC95D9D0DA47DA6900A7B1D6EED3C334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.840{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F12C187D4208C9364BFF7D2613CBBA0,SHA256=75609A24C2F9740E902532A1110AA5AF50D5E5C2D7E2A0DD2AFE7369E7EA2B17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.755{82A15F94-371C-6112-5301-00000000E501}7605412C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000049062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.755{82A15F94-371C-6112-5301-00000000E501}7605412C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000049061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.755{82A15F94-371C-6112-5301-00000000E501}7605820C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7605820C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7607084C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7607084C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.740{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:20.193{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615042E4B3948A6FFCCF94B808441A16,SHA256=36134F0490469FF5CDA8B488FE062F356FF6ACAA201D77D3A0F73FE39AEE11EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.590{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64557-false10.0.1.12-8000- 354300x800000000000000049046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.478{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64556-false192.229.233.50-443https 354300x800000000000000049045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.450{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64555-false192.229.233.50-443https 354300x800000000000000049044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.411{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-15.attackrange.local62008-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000049043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.411{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51748- 354300x800000000000000049042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:16.647{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64554-false104.244.42.193-443https 22542200x800000000000000049041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.416{82A15F94-3D89-6112-C804-00000000E501}6460tpop-api.twitter.com0104.244.42.194;104.244.42.2;104.244.42.66;104.244.42.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000049040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:17.414{82A15F94-3D89-6112-C804-00000000E501}6460api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.130;::ffff:104.244.42.194;::ffff:104.244.42.2;::ffff:104.244.42.66;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:21.409{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285999CDA71F643270681DE0CE25ED94,SHA256=BF294AF3DC962A0FE2C72905F1BC54882640505600821A95474FA1C6788DCD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:21.692{82A15F94-5A68-6112-4A08-00000000E501}1104ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.bat@2021-08-10_105946MD5=F4646924CD99FB2D2972432D52F44384,SHA256=71ED6354F9904E1AA35B4EF8BA6F391EAB269E9F8CF74D5EE3909C334EF0F56D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:21.677{82A15F94-5A68-6112-4A08-00000000E501}1104C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.bat2021-08-10 10:52:14.494 23542300x800000000000000049067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:21.677{82A15F94-5A68-6112-4A08-00000000E501}1104ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:21.208{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E0749F8E9B6C52827E775453FA7BE6,SHA256=09B9FFCDE48E5CF52ED43B88C9B60209521B0086FBEBA2882BC8C33C433F811D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:22.223{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5219F09FDC6AB6C0A6A9039D13C029,SHA256=86B0DCC4E5A169B5D0C9B2A23A70982C4BAA021949D94F650EF288E69932738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:22.440{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8AD0BA6905ED87958FC0FD3A7B63CA,SHA256=3D31C85D47CBFD22E39AE8FBA9D46532A9641762DF6C39AC01E063D24899A3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:23.471{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1D6E053A21A8D7EBA9AC87ADABEF5,SHA256=7E9E9E41529FB3F0316936C169D36F5D8893830D207DC133CE64A7C7AD9B9C75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.338{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.338{82A15F94-371C-6112-5301-00000000E501}7606124C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.338{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.338{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.338{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24321F730C1415AAE739F909B793A820,SHA256=E4CAA884569A8DC1673B4E3135BA7D7147F187D9475F6BF9003278CA5498D2AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:22.834{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:24.534{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1F72755D381162F03718127F37E6AC,SHA256=B6038007347EB27EC63156617D01DEB7BC47C7D73663104EC3C62379F8D2FB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:24.239{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8AD408D0934DAAA0F7FC1E4917F534,SHA256=134E63819A2DF218AB677B96B246193C63ECA00499DBE5C70B57359AD5054BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:25.580{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2A982FDAB30ED522182C9F0382159,SHA256=29563AF4AE3CEFDAD166CBC397D8A9C49AE60F731DAD0212369E0A283CA8ED91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:25.438{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:25.438{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:25.438{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:25.438{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000049078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:25.254{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3E2984C379B17C7C819C36EDB6A33F,SHA256=75F1D42846659CE1782EF74717D1ABFB9218A57AFE8B8F7A7549F08001891FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:26.627{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A8F4A3FDAC0223BDDB4A0FBC3D84D2,SHA256=916532691C00D06A968CB9C33B7B9FD64B79AA23814824AE1ECFD766A70CD5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.275{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DC012526657E63938F7D3888542EE5,SHA256=20B2B2DA9E8AFCAE54A89F99DF829EFE65F54E97E4525949072DA42E81AA3380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.174{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.174{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.173{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.172{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.172{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.172{82A15F94-371C-6112-4A01-00000000E501}50604188C:\Windows\system32\sihost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:23.526{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64558-false10.0.1.12-8000- 10341000x800000000000000049085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.023{82A15F94-3493-6112-0C00-00000000E501}8404064C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.023{82A15F94-3493-6112-0C00-00000000E501}8404064C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000049083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:26.023{82A15F94-3493-6112-0C00-00000000E501}8404064C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:27.659{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154CA23A478A1ADB5C4EA19D1195BC7,SHA256=E741C8F0F295A3A1735BEBF6AD18E975A27AFE66FE810995EC6B651C0DCBFDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:27.290{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8F218C28F0DB274FE6BDD828E4439,SHA256=A9BA102E464A127C912EDC272C5AB588641A45CB4D420B43F57D84B3D27566EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:28.690{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B7D5AF4CDCF885CB0C7024B91AF787,SHA256=829A0F2FE8F702D203ED770FCFF61A8F85312B15C7051C09C1A7B30FB58EF7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:28.305{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF23BFC78D97C73B95EB82E8C64B236,SHA256=A29CA37DE39FD86D78DBA0B811EC77322123749391571D64C3C36C2754B62E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:29.693{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10057FB8892ABAA995195FD58B0922E,SHA256=8DC368E39751C65A36CD8B3518D2FB9302E8E36B06B08EAE454CBA979299AE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:29.352{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655295100144CB573E6B13D05696CBA0,SHA256=7436154CF0889C956D36A43DC77B10D197A18B88EA98600C4C42A8B0AEF121F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:30.756{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B79BDFDAD74FCF02AC7C3CC1071B6,SHA256=31C28E6B418720243ADD5FD15207DFCA9DA9D545EFC68A4398D92C7F60EE9C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:30.369{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712165E33E50A200DE96DC62CD8CC3F3,SHA256=985688AAB17F1436502F26F2B04F0A813FA58DEDB28DEF38A4ED0868DF0D3D92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:28.834{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:31.803{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE64BA23E3BD0435D879EDC37C0ED1EF,SHA256=BD6175140D5D0B0236427DEC1EBF8A717A903E233EF76101D3F1F2B4BFF371F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:31.388{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9C2806C1821EF1E8FF696633BFC245,SHA256=C1B8D8CBA3A18C37388A6A7B5205CF79EC629EDA1716D475BD1765B4268822F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:32.818{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A019F82B19E7F8BD04820F80F32BFF,SHA256=C37F83408C5610D3556E472DA02AB7CEA38E1235669857190982CBD13202D409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:32.388{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCC3DA290DFDC3265AED04A0DF8C967,SHA256=E06D46E61C256C2374D878DAEBF15D564C4EB635F107AA0538A2BE1D6794312B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:29.485{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64559-false10.0.1.12-8000- 23542300x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:33.881{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6C287E167C6641B9622BECC811A9F,SHA256=D86086D4962B8D24C68EDBA5E32FB3F46CAD7C125DF51CB1D89B89ECBC81F03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.849{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.403{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610EF117FADF8B5C39D746A263710583,SHA256=EC0224023E9708C0FB6B79CAD9B376BD9063E3A358D6E6847602316B9A6E0812,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:31.484{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64560-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000049104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:31.484{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64560-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000049103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2679D72053FCDAB29690F0163726AB,SHA256=A42ED494C596A59C2A16B219C4441B07FFDC7058BC245BA616D3C853D4E5AF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBB5AEE10EF3753A0D857B39E5D933AC,SHA256=DDE46BAF5A84D8A2D1F574F2B385BC11FC95D9D0DA47DA6900A7B1D6EED3C334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.019{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:34.959{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226EEFFACAFD92E8E5635DEB23266842,SHA256=51CE81F9511FCAC60FD2D281307C7B0E14907D20EAE2F6CD42F35EAB9E5FB29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:34.418{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15672A23E6B77E51DFAA4310E28E507,SHA256=6FF01F444EC595095DDB912F7532CAF6FF709D8761D79E4195267DFBFF83ED86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:35.975{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2197B809E71A040BDC63ED5988759E,SHA256=0F6DF2EAA335B40D63D610A73087CBA4EFD5F4F9D3C15261263E65F7868A3D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:35.433{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995F67A17344554AD94D021E593B68CF,SHA256=58514598FAB8316E2C4B7FCFB6276BF00FCAA030CE3EEC66445664BB13168692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:36.990{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645671EBCFC3D835AB7BD2A6DE29740A,SHA256=685597E0AA7FCCA14B3354B48035018AB4CD8D902FC06D60F76B2D26823F3A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:36.448{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DADBB2BE5A13CEE92D2AE9269F76723,SHA256=9CE4F9749E8589D8B178D453C42E8D0948A1A712E78FB33BB419DFE3B2D9E9D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:34.868{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:33.268{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64561-false10.0.1.12-8089- 23542300x800000000000000049113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:37.463{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CDF30B6120AEEEC51DF65AD7365605,SHA256=D68B70F1E3A4B30B779088038D5D853B2C04123066E16C91B2C120AB6635B685,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:34.636{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64562-false10.0.1.12-8000- 23542300x800000000000000049114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:38.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B64CBDB867EA7F8322E4BDD7AC3701,SHA256=E6EF3BDD801C2896401E11682C0B76F441D7769228D8AD47B9E1518A08A813AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:38.006{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB73280FF581A46477702197FE07DCF,SHA256=EA1B5FC7B4E36BEA8B047F740AE0F74F0D0C25A2CBF8B678F96DCE5A2E906A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:39.495{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B37455ED57E9607D3ED13B9281CB8E,SHA256=66261C8DB70BA48DC24D7D1AAA5BE38F692ADD009BDAD4245964D1377DF01D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:39.021{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDEED6EFD2993C44361C731F507D94E,SHA256=F9E6C130E6FAF05D89012D9CF7A734005B515D352206ECFF7C2BF76F9924C10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.514{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8907084753018D5E35E5E2E988423F6,SHA256=A42A2F9E83FDE24F2A0A18B031BBC172819DB50E41BF4A7761DEE0DCB10600DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:40.037{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A779DCFDE8E60D7B73FC95DBFE89F79,SHA256=52361C3DF57922DEBDA8E2011B8EAF2AFB1332EA19008B939967B523760F0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=ECA5113E5734857AA3D006819A1CE632,SHA256=99B996D63CCEAB66BCE8D35FDE2E73608510F0A8A02E9BB7A04BC067B889EADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=D2BE157B157D83117F6AB2AA5F885B10,SHA256=50C4F45EDACD4CA02CD43E6F82723E7D2240F4A38BF77CE773B3EAE420BA9C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=18460243262488A5CD149335480EA1FD,SHA256=DDBC6BF9C95ABA92A49FB8981A3A362EE69AF41515DCC7FFFDF177489173495D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BC020B5A1E202D1C03E29A6911BE0372,SHA256=2639FDE90E6488A50C72E7D63A2762F0C3A59A93788472673F853E6F29BBB081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=173447B29E9D71C6A8FD6B2419829324,SHA256=43798AB1A7342BB4349F109C5B5DE0CD0B85FEFC9AA2BC58D4DDBDB11C8106B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2CCB33E32E7BC0CFE108E3B946B3F270,SHA256=960FBEE7AEF7DB40807B7BBC5A89421056D7B5C6656A93A9CC31FC3DC72FA19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.430{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1D3F215D2C887A3771996CC1F068779D,SHA256=AD682E23E986F1D8ECC1EE023B548A9BB7B82AE06F6E038A7624303A20036276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:41.529{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0DB7E4DB20D3170DE6BCEEB513B80A,SHA256=F6E476CC03BA657541E4429DD28783431DC45DD0207707DBFA5AF450E1A2CFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:39.868{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:41.053{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9523CB1A9BEC874FAF30DD177DF91E,SHA256=2FC85CC2723D2EC9B4F268BB9E5995EDEB7C6C23AE5A735F676643741BD630FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:42.544{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151BBEF121CBDB5EA600CB11A346C65F,SHA256=C6A790F9F43A6228971E67C5C3A583E828E07D14C625CC837C0C2B45A5335AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:42.068{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534BBCB33472D099CEB13A88461D9117,SHA256=376257D459AAE2904E0F07C4BBEF40963C208606D1A1B817492DF6ED142D7859,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:40.648{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64563-false10.0.1.12-8000- 23542300x800000000000000049127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:43.575{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF6D6BECECBA8E8B5EAEBD757B3A5B0,SHA256=669CD9E9C597E70F43BDBB8297BEAFF3665FDAA532534903A7B71D246104C6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:43.084{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF329BB7E2C968277F7E222BBE75CFB4,SHA256=2E39020BA9FA8D407C81BE36F57B4ABB393AEEAB35BC5DACBBF4A0B03BFA6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:44.591{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AFAAF0552D60ECEBB5E2A80FD0BF41,SHA256=5324E5E92B76394D3A985BA9D11D1D0FB8C4A98D72338AE9990D82F8F6B06247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:44.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7865DFD17C0C8A1717AA3319FAB8FEB2,SHA256=DD06B5C0B0D850ABA36EFA44CC231F62CFAD1AB5625A105C3B81530E59A8022C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:45.610{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5656DBB8AB0314D7156E00A7366699F9,SHA256=3C6F12AC10B04456AF5E55AD374F397D00BC91F2980C65E40BB4B55750E09C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:45.100{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BCCF54200DCE71E4046DC1B1799AA,SHA256=721A9448B7E267934D612F9A381782BFA5062D8F33192C743D6AFEDB7DEEE7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:46.641{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681F7771E5DB82C5E89409127766042E,SHA256=02B68DF929B2346E6812C6EE180C95151FFDC22587626E08B3E3CCD07AE5D7F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:44.962{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:46.115{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC37C63602339017EFA10F4930BFE8E9,SHA256=73034D5E74F905A1D00BC9A4E1B80729A8E0E4306286F44A399491CA7C583C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:47.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B1FA143B92033DCD6769F3140388E9,SHA256=E4FC246C7AC2510A873FCAF2A37E915D21883F0B5D953DDBF7447642964E6BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:47.131{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C098DD9649C76384C989CFD0EED645,SHA256=7D7020785A3BE24344413402D898EC88B9B00A5467A5AD2B5B34D3205FC6E728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:48.690{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE13825417C5141806A32D11B37B4C6,SHA256=483FB22C8C6BDC52029B68F7C86365C549D45C790EE3B10E1CD7438F2A355859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:48.193{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43EF29E06DFB679DEB35B22A852961,SHA256=847B1C2BF997703BE3E08B4FF5D1AB5EA77EE5FDC55500183C5D380495C1964A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:46.559{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64564-false10.0.1.12-8000- 23542300x800000000000000049134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:49.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9E5F7AD1E8F4AE00A3A8E7070A79D3,SHA256=D7247E4B46B278EC10829336596BD62EFE99FDE97D0C76687EF8802FEBF1D5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:49.195{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DF4E725D763B8BBAAD532255C1176E,SHA256=A43F4D1C853A4CB17143EDB338D31B2B5BE5FA7BD79EC8B338C62CE683F6C62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:50.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8C0DFC25829484103A184CF34E639B,SHA256=888DF0B07068B7968034B1FD38D45216DFD0860E8FDF5058855B6D0034303784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:50.226{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A0294416DA34F752D1213030520C30,SHA256=74FEA501CB0F3DDA879DA4EF2164D093669B89B896F2364B184A731F28043272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:50.239{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF9b95a6.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:50.239{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps12021-08-10 08:52:49.598 23542300x800000000000000049135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:50.239{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d15fe150-5051-4487-ae6a-742689c11c58_Untitled1.ps1MD5=60DADB81EA326DC84734AD57063B7B17,SHA256=8BDF8477D8D346BA60D232A8E202987AE32B54CCA1D8F56605ADE3890EDC92B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:51.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC5D7A3C26C2FC703EE33AF1AAEED15,SHA256=804F6A098BB32B138D7C1FADD220BD1B0A762D55BB0591E002FE8A6343957C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:51.273{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAB802EFB7E10D15B39371D0C0750B8,SHA256=B296292039E34769E75A83D8D1528187D82954AD26CB7179CAD3965F2FE68A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:52.788{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F339810A12B80E6AED72D7F6F53B89E,SHA256=FDB1F0A93EA6B5EA846980E46802E0B9C0A0CBC33002DCB484BD5525FC2143C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:50.901{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:52.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04257520323E7D09DDA374A08684AE1A,SHA256=9FE9EDEB2DCC23ECDBA98F0E115D07BCC0E426F0932AEB121934C6B2CF7CB66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:53.807{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEADEE8946C847F39797992C7583ECA,SHA256=7E83FF45B5C95DF545103E67B2DFA9282E73D11A861FE32E4226A3C243B98579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:53.367{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB0108795926A36DE77E4E064BD5591,SHA256=6E63D8D9C03CD8E7314705809856AF344281735844A6F3E820E2CCAD9A0D38F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:54.822{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752DEB5C8C0AC6C36950A236829F659C,SHA256=E35947CEFE054300B9B2912DA368A7A1B599A36718822EB99AD9002F1B4E844F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:54.398{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5473DFB213403E15F944998B66925F3D,SHA256=150B6D5CE00F5EBF462FC1A6248887FE44999EF711D9641BB9EC111EF900ED16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:52.541{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64565-false10.0.1.12-8000- 23542300x800000000000000049153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.838{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB4BED0349F12F2E249ABF7946B8E08,SHA256=1F3606AFD9946AF497ACF94E950F24E367EAE431FC595163B1125F7762D34015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:55.445{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA93E939A0ED95F7FDAD1C94DE56D6,SHA256=5E26EFB30A2E897955D63349D3F4D80857EE785653C2EB95A9E18DD41A39C0B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.488{82A15F94-5C67-6112-8708-00000000E501}60202192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C67-6112-8708-00000000E501}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C67-6112-8708-00000000E501}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.322{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C67-6112-8708-00000000E501}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:55.323{82A15F94-5C67-6112-8708-00000000E501}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD88A4DB73DAAEA38DAC1DDE9BEC6489,SHA256=9333539536F8E7E0830A3B5D2E04F21D986B3B395A8D68C4A405CAA301A59EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:56.542{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF11CE1A07FB60440E01F4415BF9E66,SHA256=4A8225D548B88DC134E0A42C1FFE40446FD582930EAFF430B4AFBAA5397AC952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.689{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C68-6112-8908-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.687{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.687{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.687{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.687{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.687{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C68-6112-8908-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.686{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C68-6112-8908-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.685{82A15F94-5C68-6112-8908-00000000E501}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.337{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1A68A12D1BB145E64BAE3A4CD487E64,SHA256=7EDC913F2489100EBA46F613B7C1A73FF3DC24EF3E53F6D5C42D94755E3D16F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.337{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2679D72053FCDAB29690F0163726AB,SHA256=A42ED494C596A59C2A16B219C4441B07FFDC7058BC245BA616D3C853D4E5AF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C68-6112-8808-00000000E501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C68-6112-8808-00000000E501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.006{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C68-6112-8808-00000000E501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:56.007{82A15F94-5C68-6112-8808-00000000E501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243DE3D91259DB46BFD12FF8F6FD3BB0,SHA256=CDCDEEC4F10D2818E8E9B6B06FF2BC50F2D7A994255B51D74EF0260C4A62549C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:57.617{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89050CB852F9DD430F8BF28470D823A1,SHA256=29BA02819130322A04ADA9425B6B70B95CA67CD6F8C4668F318502AE8F5DFF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1A68A12D1BB145E64BAE3A4CD487E64,SHA256=7EDC913F2489100EBA46F613B7C1A73FF3DC24EF3E53F6D5C42D94755E3D16F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.622{82A15F94-5C69-6112-8A08-00000000E501}25286308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C69-6112-8A08-00000000E501}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5C69-6112-8A08-00000000E501}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.407{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C69-6112-8A08-00000000E501}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.408{82A15F94-5C69-6112-8A08-00000000E501}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.908{82A15F94-3491-6112-0B00-00000000E501}6326204C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000049202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.892{82A15F94-5C6A-6112-8C08-00000000E501}45246816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.870{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F1B15728A693D61BD037521E88D74C,SHA256=C6B70ADB9CB5B55D5AB9C7DE79B21987C6B259AA3FAF643E375B6366F4B776E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:58.666{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061A049B223293362AF4B031E116B331,SHA256=4BEB421CBCEC71AABEC3DB0503EF6549B459EB5C601F200A8AC7AF7B8EB17EC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C6A-6112-8C08-00000000E501}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5C6A-6112-8C08-00000000E501}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.739{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C6A-6112-8C08-00000000E501}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.740{82A15F94-5C6A-6112-8C08-00000000E501}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.224{82A15F94-5C6A-6112-8B08-00000000E501}6046512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C6A-6112-8B08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C6A-6112-8B08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.069{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C6A-6112-8B08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.070{82A15F94-5C6A-6112-8B08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:57.571{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64566-false10.0.1.12-8000- 23542300x800000000000000049213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.873{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBEF7878E687FDDFB5D708400C59A48,SHA256=9FC12A0343FB1BB3D6BB4D58D50CF548E51B944F666CC237FC33E3FB26814968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:59.697{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B3FE73C0D29FCE7464FA36F1D50A39,SHA256=196E9BB582D97C20C7CB14388BC3EF50C88E4BD40B4FD3FF07DE915FEAD13261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5C6B-6112-8D08-00000000E501}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5C6B-6112-8D08-00000000E501}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.407{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5C6B-6112-8D08-00000000E501}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.408{82A15F94-5C6B-6112-8D08-00000000E501}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:59.070{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0E7B64413406AA1BA36612DA4831BF,SHA256=1F134941B8D3CCE19DB0B27487BDB65322650FA103673D03C08BA9FB26A4AFC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:00:56.870{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51668-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:00.910{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567D5880DE80E12158B9A728BD155C5F,SHA256=B5D40683285301E12C54B4456747D0170F354ACD434ED609E1BA08D080D36600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:00.728{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBE5BB13DA2AAB6F63490531BC1A471,SHA256=20CFB7506D935CA2C43E6001C9BE245AF69F92A16B786FD0351376CE35C7F17A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:00.894{82A15F94-3494-6112-1600-00000000E501}12886464C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:00.893{82A15F94-3494-6112-1600-00000000E501}12886464C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.343{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64567-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000049216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:00:58.342{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64567-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000049215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:00.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0E8C26592A83FC37BCDE781C507515,SHA256=7B05B324B63A3C00A23A2B44A87E9DA19B5EC0FB338DB680781061CA5B3294D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:01.925{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6843A873A33AA4D1ED95D469E8B5BD0,SHA256=437E529B10239EA8723BC6E522209ACA3AB90DD27F066F8B84BAE859D3E0BE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:01.728{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91AC615FD39F901AB97BEFABFB5D451,SHA256=A45D2516F31E0BE6705B9636D4FE9C759BC6EB2380CF650F78A7F60F4B0796B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:02.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86244183CF39166B2E277B7F7CCB4B4F,SHA256=572140DAF1A0590E1C9319D57750ADCB834A86393B6B1814831247415548068E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:02.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3A0AA4C8E79FCACD777218FE425648,SHA256=314E5C0ABB89F94104B0946B0613706AD40DA830148B8AF5081E50920531B459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:02.188{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E3A6C5860D4E61B50A4A6BD23A429472,SHA256=168FA5DDC118FC6E9800C1CC35B9989B62E46B905B60124685C60AD4D17A1FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:03.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA9A099969049B73E7032D205669FDA,SHA256=36037690D1F4CDA6B9D32BDC149EAC25988463FE13FE444922DD142F7D3A2BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:04.806{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D4ABEE189D808570195B3BF5AB133C,SHA256=8D49B274FD1D9E79C514E0C1C086C98848520D68931226C8337C14A4CC6E18FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:04.039{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A727CFAD99A2EEA5707EEC69DFCD8DCC,SHA256=B4528D40D6C58E358D269681613A3A19F56EBE6F67429D5DE19D75D7EDD98101,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:02.840{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:04.166{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:05.853{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953909E1666A95CD587D0DDDA87B1CAD,SHA256=8EF9154986BF209637880D1D30FA3548C460E0F99DB43BDFDDEFE4C01863D0E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:03.519{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64568-false10.0.1.12-8000- 23542300x800000000000000049225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:05.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A097CD63A876B6D7B7ADD470DFE1646D,SHA256=F2CE17D53744CE7AD96C17ED7EB25B88D2ADD93D8F87F55570F6F31F515207B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:06.853{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF88AD6995044AC083C2D50FBB2F99F8,SHA256=FF5F5CCA49E53E152E998F79AC23EBADEFC31BBF753F2E2AE4D5E171CCE32133,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:03.919{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000049227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:06.069{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6DB9A9DB1723260DA78CF6ACFB4971,SHA256=D51589AF255DED3B5BC97A90E5CB8CD743B8D9589E571220CD58A2513C0A8B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:07.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A4A8FC959750C046A7D01003C9D711,SHA256=DB26428E11C9465C3D0C90110A2B42ECFD8E55C22E76E94CFB28D7B9CA614F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:07.088{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC9C3E321C4E80EA66216302CDEBE48,SHA256=C7FCDA0112ACB148703EF0408B7FCA3CA46E58AF549AC4CFAFCDE61B82E51ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:08.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0971E42A3B4B90ACCB2B062414963FA9,SHA256=249D3600C3E8E977D9BC9FDDE506D4C6332F0C343B2BE6A8B5FA85291D6E0E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:08.122{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7C0625251F1950B9319C32B403E5BB,SHA256=86C7FE3689F2D819DAEFB04AA2C097555178FB450ECBA2891A45D3FCA2475EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:09.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66285D902E7097D127ACEE53543AA9BA,SHA256=7A101F6C85EFC8C93AB488A868B8735D2027CE880C820AD45202C82740BD9D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:09.141{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9124DB48F8BAB74131744F8988A81F0,SHA256=8B7D53E8C09A7D2488B0CF49011C30E6DE0E45D271B8F02E2FD3B8319CF823C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:07.872{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:10.640{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54177191B0A8902F20B1F6F85A81B537,SHA256=C369234B8F497D93AE5693E42136D3A5BF01DA17CB5C14695911D22C20853EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:10.640{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04EAB9857E06ED173045D3C278BCD8E9,SHA256=7958E06824829EF03BE904FDA2A5D1407D30F511A7D5421B2683BEBB81CF3064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:10.155{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542545289BA295AE27C444AF9F036828,SHA256=79730A94CF2DDDCE7D8C418EE8C7F32CFD3BEACF8A4B56C025D94472D2FAE916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:11.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA82CFD55CA3AE2A30FF22A58BB93E10,SHA256=A718EC2BF404B30B1D7F86D061360F30004D616889F69C2AC76BB8782D6F9CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:11.155{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A04E634EBF0ACD8B26480ED976BAF4,SHA256=889B05A649A46430195FE6B3C23A55AFB6A866C000C1459EA50570AB26EF4472,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:08.649{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64569-false10.0.1.12-8000- 23542300x800000000000000049236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:12.170{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6ED804CBD1330A75DA9EDBFD285EF2,SHA256=435A0F5E1C65044FF0F43FB0A478312A179E3D885BFC127877DD6234FCF248B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:12.043{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA4EA8A8F1AF3023EEDB146E122B786,SHA256=ED21154AAAA40D85C3672B48AB17788215BACB48553FC04DD5E621656030488D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:13.188{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC88D1A1749832A1D55DDDF654DF2D1,SHA256=D6E9A64E816A6D61373F3B5A71D0F1B380BD42F0CC7891C4BFFDD62ECC7E18AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C79-6112-F706-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5C79-6112-F706-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.684{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C79-6112-F706-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.685{82855F7C-5C79-6112-F706-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:13.059{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C25C3D22BCA7A0BA467924521F515C,SHA256=39A08183780D65FA62B8426F7572A3E9D8325C84FC3BB541A40E431A5F95BD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:14.206{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56448821B2AFA7DD81221A87216D0742,SHA256=22899EE8B89C6D648C6444AB9CDB058DA70A052CB3880E93AC59E3FBCCFCDE6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.902{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D9E67A7FBEE584A8E66412B75E56C7A1,SHA256=A35411E5DE537F03D6A920BB3D4603573E5DA340600B3ED31C2D2BF5753B8FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79E5EDF953CDC016FBAEB679E717171,SHA256=74558C0D103DE3827AE6D7F9F929A7B889E3D834BAA7570275DDE9BD1698A7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E663AA75747361BB99AB663C98269963,SHA256=7523EB98F43BDF607B8C62E41A592AF43D00E3D868B48B113B3D6F89D86EE9B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7A-6112-F906-00000000E601}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C7A-6112-F906-00000000E601}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.684{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7A-6112-F906-00000000E601}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.685{82855F7C-5C7A-6112-F906-00000000E601}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.449{82855F7C-5C7A-6112-F806-00000000E601}9202696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7A-6112-F806-00000000E601}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C7A-6112-F806-00000000E601}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.184{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7A-6112-F806-00000000E601}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.185{82855F7C-5C7A-6112-F806-00000000E601}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:14.090{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEC90E11BC0B5B1C3A807CE97EBC936,SHA256=01A3EA5ADA4E3F81146F5D656C2C1A7296C5CB8A97E8AF5FB5DB9C8F27F4C71D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7B-6112-FA06-00000000E601}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5C7B-6112-FA06-00000000E601}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7B-6112-FA06-00000000E601}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.934{82855F7C-5C7B-6112-FA06-00000000E601}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:12.874{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:15.215{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FD20E1B509DE63081D86A41654F8E1,SHA256=889DB18C41D32B7E71CDD07EDCA9A66AF7E754767D1AD297594C501D4C1538E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:15.236{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3826619FCA35AE304C11F978EEDB35,SHA256=92EDA67C09D309B5B32C6E2D27B2D78AAC23E0D1771839A5F2E123F4902D3E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:16.251{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E008AC0859207E4DCD650DCECA818DC,SHA256=043E54427391CCAAEFCE1C0C1F98103C0AA6D74278131376811DF180DF3B567D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C79E5EDF953CDC016FBAEB679E717171,SHA256=74558C0D103DE3827AE6D7F9F929A7B889E3D834BAA7570275DDE9BD1698A7F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.746{82855F7C-5C7C-6112-FB06-00000000E601}15322056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7C-6112-FB06-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C7C-6112-FB06-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7C-6112-FB06-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.606{82855F7C-5C7C-6112-FB06-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.231{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B20A706CA5E96876E79478B561B8506,SHA256=25EB8C6E070D7693E8DC82CFF7C86ED0B501147A1241E8821679A4BF7985FFF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:16.059{82855F7C-5C7B-6112-FA06-00000000E601}19961504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:17.266{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9774E84948A648E246D7B5141F7CFB36,SHA256=BC64A1201AF48B54D60A0C9B3140F5AF34ECCC6F3AC5FE7EC894C7F8E66DF7C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7D-6112-FD06-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C7D-6112-FD06-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.949{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7D-6112-FD06-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.950{82855F7C-5C7D-6112-FD06-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5C7D-6112-FC06-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5C7D-6112-FC06-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.277{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5C7D-6112-FC06-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.278{82855F7C-5C7D-6112-FC06-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.262{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229757864EBBBA0652DC7CCD033F8FF3,SHA256=C7AF314A8492717ED1CD78CBCE5470220610A66DC2F420B68BA886009D439328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:14.570{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64570-false10.0.1.12-8000- 10341000x800000000000000035321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.090{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.090{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.090{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:18.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C9141E7566458C1F17C72B4331FA5E,SHA256=9663A1EFA2633B9CC1E2E7C2BAEE6B9305D8D34B55B43E9CABCE1797F0BCA5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:18.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52C28844BC8C39B0DB50C3D97FDB6F6C,SHA256=E9D905D3DB3E210955774E9021D12CB33DC8BF4CF1724ABAB8826E0A16E4DC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:18.690{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:18.637{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000049246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:18.637{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000049245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:01:18.637{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.68.89019720C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:01:18.637{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.68.89019720C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:18.268{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F238AA89249103BD0D44D21DF6F509E,SHA256=609D8C65724E5495BCAF384C1B431010EA95DCB3889849D4524A866801C82AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:18.168{82855F7C-5C7D-6112-FD06-00000000E601}19481340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:19.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F8EA834136ED14F162A0B6C4D19FC9,SHA256=AB177AF2819C23558771A46A7DA4EE508DB105DBDA3EB73133B50E953EA624C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:19.605{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:19.605{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:19.288{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DF034853E18B5A1166726343F77AD7,SHA256=7A26E42F11F037D3847CB3FA8A9F68D92B2646EF0BDE37032FFB2A481F7D2A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:20.715{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B28873CD7258456CBF88A3F9D62CCBF,SHA256=ED8CE1493D57BAF98407E72301169D99504278F57D74D7B917430353823E5966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:20.305{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5630834DDAEBC169FD35B0ABFEB5D5,SHA256=94DE1B36CF9FF0AEFADE5FC99BBE680A60A0EBB4E5DBCA05FDB56F7A7D2270AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:17.936{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:21.762{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0090D516CA07D8A0943ED16227DBE752,SHA256=D8E3D14BACDD458938CA5BEE30B15A2C33304EF3D5BA6E61291408E8562EF4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:21.336{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1502F1C53331B560F228CEC26D36114,SHA256=9DCA183977671C3BBE6AC5B4B1E1BBFB2B854157EDD880074FBB513D98B49552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:22.793{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D1EB21F166F28512CAF6AABC3C66CF,SHA256=3D03D77A517A106E592E4261C464A1685C59C20A6DD8E390EE1B2CE75FE8E460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:22.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961FFCE6197F3FFB52C7AC4E01A7225F,SHA256=55A014E0408F4C6516A58BD7F9858A8D5D4EE27CD095264FCA9562CB4605AC09,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00948482) 13241300x800000000000000035363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dce-0xac21ea88) 13241300x800000000000000035362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0x0de65288) 13241300x800000000000000035361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0x6faaba88) 13241300x800000000000000035360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000035359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00948482) 13241300x800000000000000035358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dce-0xac21ea88) 13241300x800000000000000035357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0x0de65288) 13241300x800000000000000035356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:01:22.762{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0x6faaba88) 23542300x800000000000000035367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:23.856{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AE80C49F00FA1E01C814806E245ED9,SHA256=1E6BF14CCC8180E08B3B2D47C6D25F2F22B422EE9617DF9E16B4106E423CF9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:23.419{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121ACED8DDAF14A82F7ED65936879D26,SHA256=208D33D286E2F512448197A5C8915C59A196A2AD3E9457ADC3E2DD78430B5DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:20.554{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64571-false10.0.1.12-8000- 23542300x800000000000000035368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:24.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B27297ABC3273C0EE5612AF2290C3BF,SHA256=71D650ED407C62BB0FB11E19D108BB24B0B76EB823533F0716F3700ED93E07AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:24.434{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FF2CE5C5D853BFF891479643CF1B2C,SHA256=FC9C9962C170EB1AFADD7F27A022FBB92762F118C5ED8692EA575C29B168E3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:25.902{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD62177A26F71E5E96053108A6A351,SHA256=FF2872055C58C4424B2E2E8ECBE274D853057CD60FE6D68C87DE21687144CF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.465{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=497F7B1D215417614D060D811D711C5D,SHA256=F99A77DF1FB59E0B0334DD4EC30CA367D287EBCD8F070967FF01DD5EE74D1E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.465{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=24A0AA79C735250B4C29CEDB9D7D03C2,SHA256=4AECDDC5B71DAA98CCF96FF9DD5257C3682068DCDEB47B3AC9475A87493BC503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.465{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C5B8169AF0B202963A56F48683D68BAE,SHA256=39F84DF5F2ED649868DD4404940BFA187669D885049D776D2CB06224401D671A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.449{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1F6793D215256B32B1DEEDEDAA44DB8F,SHA256=0773DD57C25064E5F253A34A88C0A6E53504523DB973E8D96764364BACEAF8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.449{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=A5D2FC064288356EB51EC17F6C040F57,SHA256=F333FC363652CF546D912C76A68368212D4DABFD484E44CA03E2B3AB78E9B233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.449{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3F79604E94E1B6EA0059484B5FB80951,SHA256=1BDFA52F3275447C98918E0002A50F80DA3275D17FC292073B1709A18DE3FFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.449{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8305C63A2BE43731D9E47033FCC856,SHA256=E303665B522B92BDA2B88428C1E8B6E5B6EBE0B44014AFC2EF6C982E5CD5FEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:25.449{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3D59BE7452FDB4A49A3A62374779F8E9,SHA256=57568111A7E785797902E83F7FD706A242719CCDC270EAC39E9B0437CBFD8D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:26.996{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047320CCEB174FF6F0051C6A1AB08F0F,SHA256=54D61DCE7252134F69FD11DE1E08E4475729E3016734668FC525800DC69D355E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:26.464{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2273DF80DD1382CAB9AFFF5035522BE5,SHA256=C8EFBF4D1EC5767751AEA58A70674A3F5BF72CF8DCA1F467A9A4E7549AE3D815,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:23.889{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:27.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66D923C0F9839E14986050EBD5F54C3,SHA256=6289703E72D3C17606EE24D809CE2D5B47BBE6FBA38B725B413FAFFFDE49A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:28.500{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE86F04CB9AC8A94E5A319F6227BABD,SHA256=DC1B4D2D9B674DC36D11A6580DD32D068BFE2A6574069DD6B156D85362AD638A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:28.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA9D19D64E681D062AAA173B121FA69,SHA256=9807313B6E27E8A6F60E8B96DE7C7B7F56102DC09B59D0768DE2919AB6C8F84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:29.515{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A53238FC2B2789A79F53B966EE3656,SHA256=E71209F4F26F1A4F49857AC1B53E030E3F4A37D3C2B6E48CE8B281B944D9C386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:29.043{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B3DE016E34BD09E9575EF9AC329D17,SHA256=FF05DA3017D69B6047EB11BBCC90F8676E239B70ABA9B5C53C7652AD62A53059,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:26.551{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64572-false10.0.1.12-8000- 23542300x800000000000000049279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.778{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=3A366D06FE7B2746AAED7FC9E3C4F8A9,SHA256=641EF48D2B090EFAC106A5B0719DE7C0629733C19764D5E87C061F160EF2C2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.581{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0F87CCE112CBFCDD658F37C4AD86EF,SHA256=9881012120BB54217F73A583CC4D1D004D437D0DB62038F03FAAB6DD5BB036D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:30.048{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE69317FAB954A4D2FC098000B824FA,SHA256=DCDE0B105ADAD9805418858E24FEAEA01858CD587B984E5F77536732041966FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6D0C7FF7A456AF1C849AEAA7892A6632,SHA256=D36D0F323A3EFC93397B8AD18BBA951BBF59A5B75AF33987578BE42F398E4CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=799D1805D09D004D0F8EE14FD4E22162,SHA256=F5FCB07993050F9845893522C20DC34C3CBD77F42C4BC62FCA7DE4207EE1B53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=18728BA51BF1553DED1B7BF4D0C56946,SHA256=530CFF2ACD89B75B3F6059A7BE45B39E066FF7E80E285E134C7C1B732FEEA277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=239D75CF1EDC2094EA16AE0ABA1575C9,SHA256=D024AF52257CB5D3DEE90EBB79252D81AE8386EE9A8DB14E338F09FF40831FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4BA0BCBBF526D942067BEC585661B3CA,SHA256=54E139D12308C8A2665C399D257CE45173FD24FDE2C2896008F291CFA7EEE8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=76A544E87ECCA408E0FBC72505DAA755,SHA256=855493EFB4C34CE001769F0ED390AED663E9BD948C7E4F4ADB99E1E5B9368967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:30.461{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=009569D63E9EDCB26AF1A2A51478235E,SHA256=62A3CADD8E45AEF532F2D985C8212F2A364EDB6B1AC0E0A2F5C3E448DE868501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:31.598{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A59A0AEDCB29BE84903B7523E6EB17F,SHA256=C26FEFA1F42100695235FA5D6BE33EA094FA529667AB2825062A4BC8BDDE8172,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:29.879{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:31.079{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC47D2F2521BFE700AAFFC2957B21EB,SHA256=00A9051E62201DFB491136F5D23F84EAFEE3CBFD86BB71FD6C6D296DAA87DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:32.614{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BFB273F7FF20FE15D16B01B63E019B,SHA256=49139C7DBC027E0851B6703C42E2C4E10F889B65EDAD11EDFC64585F166A0B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:32.079{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4D07914E57711E4B0529D3E1450E9A,SHA256=E91B13F7D347B7008E4B251E9AA248201C81D15A3FA5A05C4B4AD24BA88AD494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:33.881{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:33.644{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4A47CCCDB9CE0FD2F1385DE9F2471,SHA256=EBFD78BAA1666D090B327EE3DFEF36BE17CE97345CF917EE4156B909685A7F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:33.142{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D1EA1595D4E971CE64FD47010CFA94,SHA256=CDDFDE33D6BFF190A2FD72CE96D0EC3B34D70EC42848C077AB04F297A9A2421E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:31.495{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64573-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000049284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:31.495{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64573-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000049283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:33.082{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766222165C9E8D96E4CEFC247312A031,SHA256=0D7CC7B14F62EBE004D4708FAC6F80910F5FADC78C75E0DA8A702125ECED95BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:33.081{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54177191B0A8902F20B1F6F85A81B537,SHA256=C369234B8F497D93AE5693E42136D3A5BF01DA17CB5C14695911D22C20853EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:34.744{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:34.744{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:34.678{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7DA8D7ABAFAFE1AC7A4C27E3057484,SHA256=9207C0CD47E26B53A45661871AC4B5B573E83802B13A8634BFDDEDD4C4A3443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:34.173{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313428D70D4FB4B1E997AF135768C4D0,SHA256=B2FA6B49449BDC047D2322D73CDC9CF74FAE1469E75CD5715AF2325A1604FA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:32.534{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64574-false10.0.1.12-8000- 10341000x800000000000000049289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:34.328{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:34.328{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:35.696{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8FA49EF06863E8B00E57FA55FC21A1,SHA256=52FF74ECE0AA2CAF9F38422A49478F4F8FFB9213E09F11169F8E2AD327A9ABC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:35.220{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AD01B5114C3565CA94AA02BB7B247D,SHA256=0733497158879BB1181CEBE8F17C440543BB8EDFF1DF3CF593BD43F36FC17D2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:33.294{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64575-false10.0.1.12-8089- 23542300x800000000000000049296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:36.711{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12739F85D755CF58E73589970EFBD83,SHA256=D3169CBCC77905E9ACD82FED8BB9D0382805EE6DBE1D108A6F0B271FB2CBD5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:36.235{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD0E62CBA577B34836EBA160DB6872,SHA256=FBFBC9FEEAD7E126AF397DACDD9646EAEF7516BFD0D0C2B2C3415FA655F431A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:37.743{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000049299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:37.743{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:37.743{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF9c4f32.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:37.712{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB99B9E6BE5BD79BD66C77033DEF3D3,SHA256=DEBC550183655302FC8DB8C13EA3E777DB052FA6A1318C4272806F29314E2DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:35.847{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:37.267{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B2A558ED9765D8EE256EEA299B0AE,SHA256=F551A362CF2FADA2AD603FFAB4D966198D9C7B0AEEE6AE9825ECD17C1741D80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:38.742{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0521B3D21023645DB007DF8DCFCAA8FA,SHA256=D130EEEFC0510F86F3FCBEEA374A19587505FD8E1AEEEEB07C71AA5E0891AFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:38.282{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7F4A736EBED26E1CB295414C9A365E,SHA256=97F8441476DD9669376F82DA68F83F05BC011B68FCB3CBF7CB08553193582291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=90ABE85258D65BCB22A7F9EA75C99B42,SHA256=5290F078044E727D5126779AA6E74F84C439B0955FE5A0A5C7FD46C38645DB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=D879B98A5C58A138047E72C009829101,SHA256=D074D52C7F5E4EB79AF7511B164D4959A8C0C0C022F0BA6F1C12F7D746E9973F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=EB5B2E0E482F5723F84EEF53EC012D42,SHA256=FE9C82DC2FE2D43156D43054A8D14E58CD9AAC9AECD99F906FC5AFA530E03E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=40F54152201E1D59833869EC8AB20466,SHA256=68AB17562F2E1FDFBF1576A129EAD43D068DBABE9CCC6B03D64BA1EDE6B976DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=064D90BE809E25498A0E322CEBC50B42,SHA256=0A7D2A5EF8389D1427AFCB6AF1D0C2900428752C1EED6DED5DFC104F8E9A2DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=A770A419509FD694ABE061857A0A72A0,SHA256=AE463F7E62C1B3C18F15C1BC28E876B8E758A797D2B0F80370372385B6646AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.841{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=1532311FC60BED4F15596ED1FB83CB49,SHA256=DE417E3CDF5545F70301C36467F9408408F253D66C8CB68C5AF2DD6671788A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:39.757{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E29E80F87B6D63C39570EF1D60CF51,SHA256=81E97F85E830BB6A1B310F8155B76BC819D6AAD1DA5B619B161D735E1037D446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:39.329{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76D45FAE96C148CE2AE9B29C33166E3,SHA256=9C1205060D6B3F5B83B8409AAABC5DDA279BDF6C39D6F5B78E0470BCC963B5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:40.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DF38798EB6138AEA5201D31E65C45E,SHA256=0D8E29F0299DB280B49D387788A65B64CAC900B53A934DDAF5DF172ECD9BA316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:40.376{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A29AB5E52564881716F2E929FE477C,SHA256=1E6A98E1F83E997B93C9FED43C8D120D774CCD70E09C3D927E68DEB3B1438656,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:38.545{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64576-false10.0.1.12-8000- 23542300x800000000000000049312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:41.794{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4A7BB37A1D60DF7D559E3121198027,SHA256=4AA86EC065F938460C9C1BE41ACBE6802A2C6660ABF0F8C33D8532F0329F8485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:41.423{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF7756AD22B653A5CDCD648D6795349,SHA256=C9C8EBCC412F1FEA8D7E1F0C441AA898146B9A8FAE32B0D61784079F60B6ED17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:42.808{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775BB28D73B57FC331AF24C75904CB38,SHA256=C16014D4E9A256E123336910F3F7DB6D0F09D2E3A10181DB97766D1703CDADA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:42.439{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1997D2D4DFA4C021A9752E7129ED3FF,SHA256=CB72ABF6191AE2B86C4871CCDAB98B765A6B26C557A7930C9F9F1727C73EE46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:43.825{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886162A774C72D2079A77E31559D334D,SHA256=E0C30DF55A3F35783403B3627F7F8A51457752719152126DC6547F3EC0F4740D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:41.832{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:43.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106D775E7D87FC405CDFB69AC1EBDF91,SHA256=083D884092BB44E8F9A64C297BAEA312BC09ADC93F8A616024E51F67A19AEAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:44.839{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F695AFB9DAE1FE2BE7FB81E25914ED07,SHA256=F77D89392031D1051D75B75834195A62BF1C5BF8C1152114EF3304240DA803F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:44.501{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A6F1074AB4F3AD510BA8701290E138,SHA256=B3A47358AAC3316D43E45CCF92CA5D66C2D6D5CBB2FD4772E235B4CB05B69C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:45.872{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F365AE460BF47BE69681C793CF1A0A1,SHA256=DD43F392F0F15473DB28E8FE953E16F1F038D22229B3C8F95248F4FD52D2DC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:45.517{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B43A5E53016DB7724187AF95A7FEB55,SHA256=D715E9BB85BBF90C14D987F7CB09C22BF2A71425CAE23335E78A357C01E3B914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:46.907{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F576546D2E1D092629B984877C3ED949,SHA256=7DC19CD52488BCDF6C457B70486E05C2B1269587A9C5D72344C8E8B941251B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:46.595{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B02DB0D96F1E9C977702BC4FFF089E,SHA256=C15810769BE2F7A70926AF5A360872AB0A5D298ABB8313004E847136E905A22F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:44.488{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64577-false10.0.1.12-8000- 23542300x800000000000000049319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:47.922{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4196E809A2696AD40419AA993A898A59,SHA256=511563D1A0F4A9F028838C18C117C2670AEDDCD614065A4E7B82F69253E27646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:47.657{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CEF3C0CA3D1963FBFB99F36E7AAE2D,SHA256=EA354CF138413B6388EF8C8254475AC7E86C6C492DE0DB3772206EDAE6845D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:48.924{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B13C8B9B3CE5ED5104E4E3749B57B5,SHA256=819866B79D6EEB81BF9BA5D211FD3DCD56CCB78E98A88B1725C40B1AC892EEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:48.673{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EB5E0E9CE1ABCC3BEB568E4BCD6A30,SHA256=DE1F2CD0AB4A7E230CD3A401690E730E1F9CC1B1C1BE59AC860FE55724FEED8A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:01:49.954{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000049323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:01:49.939{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000049322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:01:49.939{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000049321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33448AD3B8F4ACA64B8517DF8AF4127A,SHA256=00407D91936D8B41666B3EEE3143C061A3FA4A2189C84C5C05498B9BFFF7974C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:49.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC2F40E7F78E4F1E7802E6518F4F8B6,SHA256=02F013FC4DDE02BE320138D88FA88D8E7E7F2E2EB88D19BAD3760CA235343CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D316B19559ADA725EBAF194482EC04,SHA256=5EE69A8DA31C61065C4904EB718547C57B178F921C8B589B74E596A2E99BAE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766222165C9E8D96E4CEFC247312A031,SHA256=0D7CC7B14F62EBE004D4708FAC6F80910F5FADC78C75E0DA8A702125ECED95BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.954{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95201AA4441DFE083382D4B8926F0ECB,SHA256=FCCD0D3502018DCF173FDF3318087310A72714679FBCAB93247B99E45D299903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:50.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41C34E7FAEC1CAE0BC47626D8E8767,SHA256=17BAD54933476D59D30343686EE609097FF8DDDC2D94074650CE9DF651528FF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.039{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.039{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:50.039{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:47.831{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:51.973{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EE82776511A1EE3B135AB26F9B2174,SHA256=B7DE6D06DEB6DEE43ABF04D984D42227BF9298465BD9AB95C51902648E62F765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:51.784{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5832CC1D4B9685CDDDB09C5EF99834D3,SHA256=B242ADB846E3DE524B2C4452699B3DF834A0ADCCF628CAC74A07B3DA56ED9962,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.390{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64579-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000049333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.390{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64579-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000049332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.374{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64578-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000049331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.374{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64578-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000049339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.990{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41000CB49BDE1940905A79F442848AD5,SHA256=CDFE568F0CC0FCA670EFDE4F627027C518D4D69516FE358A94C3722559393636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:52.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025193474F632234D01DC49E18209B09,SHA256=927470205B18A7316717EFC98051EE4141292B8CB908A5020FC1EDB8FFB66252,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.557{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64581-false10.0.1.12-8000- 354300x800000000000000049337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.397{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64580-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000049336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:49.397{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64580-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000035401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:53.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F1BF31F8682674C5CAE3D682C13E52,SHA256=E5B83F7BF14763CEE72B9B81F13D13568ADB488E41568882914C279829C137A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:53.507{82A15F94-3491-6112-0B00-00000000E501}632832C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:54.893{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F1FD8A14DEEFF497290A5CB7E683BB,SHA256=757D3C3AB71E03E32BE79F2DAEC96E813CE026D723D09D0602952CC2FBEEFC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=EEC1B969FABB2FD1E66B43B2E9A6C9C1,SHA256=20CAFDF350863F4FDBAE355398A4555E3B4AF968819CEAC0A9147388550C9D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=EE22B7EBE2DB24769FE7DBD990EA25CA,SHA256=030B06EC2CFD5BBB9DBFC41FF19EE2486EB681E8889059F81F8610F50B8285E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=70FAB08FFDE25DF26AD4C28119131453,SHA256=C9DE567D48497A20B4FC8AA49B1F43954E91AF105F1900E113BF582CC0D3E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=2C53C589D75767659AB2D8FD77D07C6E,SHA256=D9C6E1D88298F0B91743112F6BF1A1F21DE1E929E395240EED6DB0DB0FBB7830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=02C8A7AA7DC00B654310CF5B643898FB,SHA256=6CB3B9D171F5CF1DF06F94C7F9AB167BFB73DFCE9841129B9088E6D68449D354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=5E2EAFF9B0F88511D8CD53A12B589033,SHA256=48D0A24A7B18279621642D8E9C25B74DB534E7FA405FB7BB575C97890757F98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.888{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=3253FD6CFF9BC34974812EFBAA564B0F,SHA256=1ACDED9F2934D91435BDE6E89CA1BD7874AB35BEB8FADD675DCF85588E28BA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.945{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64584-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000049347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.945{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64584-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000049346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.850{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64583-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000049345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.850{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64583-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000049344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.842{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64582-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000049343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:52.842{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64582-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000049342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D316B19559ADA725EBAF194482EC04,SHA256=5EE69A8DA31C61065C4904EB718547C57B178F921C8B589B74E596A2E99BAE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:54.005{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56A50A80FBCEA791045BC89A836213E,SHA256=717CEF84811B8170540AB032A936A475CA1069B2EA00B27C1EC70A9AE3AB329B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:55.909{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1098A5A6B68387C229553F3E3DC0E53D,SHA256=169098B23F1F594B50661B75F185D0131FF580378AA0E2F27E7B22ECC702111E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA3-6112-8E08-00000000E501}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CA3-6112-8E08-00000000E501}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.335{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA3-6112-8E08-00000000E501}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.336{82A15F94-5CA3-6112-8E08-00000000E501}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.020{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A1A88762E1FB6260A972365167DF3B,SHA256=BFD505F521C6D3814239100751DED76F6E586D5D761BE32BEE73AF655FE6A74B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:52.958{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:56.926{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D502CEA832611C4795BD9D6CA9D89F5,SHA256=97697C98E65DC80E92862BF6182BBB0EBC1C1795D5914579EE7892C061B6CEBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.671{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA4-6112-9008-00000000E501}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.669{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.669{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.669{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.669{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.668{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CA4-6112-9008-00000000E501}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.668{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA4-6112-9008-00000000E501}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.667{82A15F94-5CA4-6112-9008-00000000E501}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.350{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AC747C96AD6C17D6DE33366362A5110,SHA256=1871E5E3E8A4FF720C7C40ADE3895C1FDE003953A275FECAC68B1A179F932939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.188{82A15F94-5CA4-6112-8F08-00000000E501}14284592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.035{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF967D00F1BE7D6880928FE037842DA4,SHA256=1EE7C5409A67C4426409748AACF78D0FD642D506C76059FE75DAA51C42791A33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA4-6112-8F08-00000000E501}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CA4-6112-8F08-00000000E501}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.004{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA4-6112-8F08-00000000E501}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:56.005{82A15F94-5CA4-6112-8F08-00000000E501}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:57.971{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BE333324CBCC67D7C92CFE1D1914D7,SHA256=474016259F93664FC3EFD7F1883E4AB78544E98CB08E344EEC82683FE06B68EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA5-6112-9208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5CA5-6112-9208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA5-6112-9208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.903{82A15F94-5CA5-6112-9208-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.734{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052570D7F8447143679AC17554DE4313,SHA256=8D551BBA650BB2B240B213CB7C49EF45E27B8CE0AAB9C65F84030EFC57DD571B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.571{82A15F94-5CA5-6112-9108-00000000E501}62601972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA5-6112-9108-00000000E501}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5CA5-6112-9108-00000000E501}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.403{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA5-6112-9108-00000000E501}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.404{82A15F94-5CA5-6112-9108-00000000E501}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:57.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2050E061D5534731F5991581941AAD03,SHA256=FA0DEAD69DC3F4FCBE8C3910E063D1CA9F0CFAFEC9252CA2D1C4DDC79C36CD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:58.972{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC2568FA5BECCDA759FAC2CC87C023,SHA256=F090992E950B4C276C88DDFF3F41A207DBADA1FAD3414396795ED26E6B8D1D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.933{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6E5A89F4C3BEDA62CE637F5046434E,SHA256=0AAC5B26FC4B46EC24345B1934628D5CEF0885B0467DC2C9C6C5578F8A9FF915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.771{82A15F94-5CA6-6112-9308-00000000E501}58482768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA6-6112-9308-00000000E501}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5CA6-6112-9308-00000000E501}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.587{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA6-6112-9308-00000000E501}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.588{82A15F94-5CA6-6112-9308-00000000E501}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:55.522{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64585-false10.0.1.12-8000- 23542300x800000000000000049404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.071{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFAC03A02463C4115663F3DC820157E,SHA256=4E34AB5AB988A04D8C0D0B2284AE8A39818F83B266699EEEC149611C375100D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:58.049{82A15F94-5CA5-6112-9208-00000000E501}14766304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:59.988{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D3F4BFC246690D31F8573447463406,SHA256=B9784E5000245F0537A920303A14D9A6478FFB3DDBFCF4E8081702738A7C2084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CA7-6112-9408-00000000E501}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5CA7-6112-9408-00000000E501}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.217{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CA7-6112-9408-00000000E501}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.219{82A15F94-5CA7-6112-9408-00000000E501}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:01:59.133{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC503F315F17F976FA4E601F7ED96F3,SHA256=73552A138608626ED676F1E958E1BC320A6D7FD44D2C06D4E3F26DD5C455767A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:00.988{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F7F70936E714E473255C8B8116A337,SHA256=ABE8EB44C95B445DD0BBB2BBECF38CC3D2961B1075EC014973382C6CA9CB1649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:00.232{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A034E52407E6350A2B1FB467200CA545,SHA256=9650B32A8C25613FA4609ABE3E2F7FA2D7DD8E5884353B89286BFA39ECEB787A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:00.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ED99C30E808ADE6CCA98A787062D58,SHA256=B4A06B3D4DB2705AFCCA43D3D37EC202BB1D0E252BBF786E312AFA0AAC043D5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:01:58.896{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:01.164{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0423D9AD2CDBDDE71D5C37FD135533E4,SHA256=E75503A54CBFE4E8CBE2AD2F2F4FFBC3A9F4B0F2ADED1CE584AAD3CD0E98E5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:02.197{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BD1820C084EECC028AAB422FF06AED,SHA256=34C9C68F3962157D997EC8B0D7A634C42B8EE0344B341FACD899DDE076B3F7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:02.195{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8F07994A18AD9CD4E446A4DE261CEF42,SHA256=F1FE70CAE2A74DD31D2C505A9D9798E53C87026BF066F576BA20C60E854E6E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:02.003{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D7CE6D40EB07E4F0C45079BE72E28,SHA256=E4CBB63D9F95876D07F5604327B0E17A9A3D5955A151415B282B08F5F78C0B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:03.019{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB93BBB9F2ADF4917E7635F82CB67E80,SHA256=33175A77252139978E2DAB49FF8AF51789BB5D750882024E429F91B6A8060B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:01.532{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64586-false10.0.1.12-8000- 23542300x800000000000000049430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:03.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7ABF35775D748AEFA7D31DBAF756FF,SHA256=5B3F21D00BA864874403018B741F2D8FC1D0A9885A091E2298393E262CBB41D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:04.262{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D648F60B57DE5B78BD0151659CB2911,SHA256=BE988C80A115439F4BC91CF7C24FFEC13B13DDD2670A5EF8048C2F428A347138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:04.191{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:04.034{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8452200D8571A280EBA8B660A730A9,SHA256=23CCC796F6D5481D0B9F81FF90F762D64C799EB3E7E05E1B9436D26EC70264C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:05.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=298AADEB1623CBC4084152EAECF104C1,SHA256=5C2657B22279C26FA1AECE2B9FD53790B93474DA59A2ACD08D6061B9AB636CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:05.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7094C58B1FE9CA1608D9E6146BC688F0,SHA256=40A1ADF12A99437D5603BFFFFC743440FFDE29C07086F19CEA586FB47C22394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:05.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EC56FE907E3410E5723E7A86ABFF3D,SHA256=D44E5F63CA4911B630909AA129FAF48D84B7B121FDFB60A50CEA1F47F74A4A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:03.943{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:05.050{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E65E0D436F1BA6FC695FC950A8A64B4,SHA256=0D0F0515670ECDBDA9DFD9F45ED336B3F87F52B773F3ACDB87B57FE4D02BD34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:06.296{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E67F6D1BC296D5BD752F93CB6C5E1F,SHA256=D4DEBB20E232A3AB6633411D100A38B1CC47C8FD08E7CBBEBFDA896F648CD09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:04.818{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:06.066{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F0AFA2DEF0446B440B4E2D723EBCB,SHA256=2BF1965702C88A67518F338E7B786E8712676E2759376AC4419D380F2D591463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:07.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59267867D29B66AC875C81C50F83AA5,SHA256=179A168F3E7166977A03DBD390087BCE5B0FB456E36E7BB12EAF90C8ABC2EC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:07.081{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF0617D99F5E7AE55CB51794F1E029A,SHA256=7EBCCC1DE4B897692C9B2A48DC8053ACCE82D6E348138C5E9ACA9437E58B2827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:08.318{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2471E8452872BF968ECA643AE0BAE914,SHA256=883E62B875869F83CEE4AD344502F0E07B6087B8DCDF758FC774C7E5E20ED6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:08.097{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243F1902B67495AEA930123710755183,SHA256=071BE1F32C69C581AD2BD97CB0F2D0DE72A948CB43017E5EF729A939D48FC11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:09.318{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4FF51BC70A7EF242235EDCD4D4E7E9,SHA256=D7775329C7C5D1D6CB2BF05A84C524882047E39E8C4A445C925F45E12B0A446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:09.113{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B282A335269C9204F5C400638C04EB,SHA256=2B83A659C4AEEA3EEE4C527CE54986CD4C99C3934046858270459F8ABDA3BFC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:07.483{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64587-false10.0.1.12-8000- 23542300x800000000000000049440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:10.333{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B0DB7B604280294146A95283463D54,SHA256=EFE847F38A41F3F97C2A53B3600AFE28D111302684F72951B58572CFAC41CC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:10.123{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C24A4157447A7969682F06B659D205,SHA256=B0DB2245AA9735CD8369ADB82451926E28E98795A85B7ADC9358C7F509003799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:11.364{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C98A51F65EC8BA0A027EDAEB3F0164,SHA256=0B78B7F4746F0C4FC1D200DB1D61047A536AE228698BFC1960119A16557CA7B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:09.969{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:11.139{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D69C324FBD1068F554C6454B8D43B4,SHA256=29ADA35C6842F52EB810E20A6226FC279284FE99042A4422E41C2094AEDAAC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:12.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D105436B1FD01C249038EFF91A01FE,SHA256=D748B20BD563D37DDED51E1B9772BEA83F2814F2FD5F83ED221100F5D41CA21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:12.155{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3A9D6A66ACE64BF498F1FF0A40C8D1,SHA256=0D642E86CAF0134252C5AAB1C60F7F148E62A7DDFC6C5CBDF45B2B150DC67B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:13.596{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:13.596{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:13.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CD22D71FE865DB623D95E9D1D797B,SHA256=15D19B6BD9CAB5CC1991080CB1C753A7C3AADBE5D40EACC8FF73977DF2948D39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.858{82855F7C-5CB5-6112-FE06-00000000E601}2004364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB5-6112-FE06-00000000E601}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CB5-6112-FE06-00000000E601}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.686{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB5-6112-FE06-00000000E601}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.687{82855F7C-5CB5-6112-FE06-00000000E601}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:13.170{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41372DFAED9E16D91CD5A0E257972A77,SHA256=1819A116CABFB36F6405C93CF7EBF17A8AD4002561832ED93EB8D9B301E67A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:12.651{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64588-false10.0.1.12-8000- 23542300x800000000000000049447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:14.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9AD478D1F178AD72BBA3EE1A1F1FC4,SHA256=A82AE17B0D5C0D367D076A9CD9483024728DA822BBD62DB422740C1CA2076816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB6-6112-0007-00000000E601}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5CB6-6112-0007-00000000E601}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.983{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB6-6112-0007-00000000E601}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.984{82855F7C-5CB6-6112-0007-00000000E601}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.905{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=56A3FFC6277B566807069E0897B00B23,SHA256=0456874E55DB1098AB9531E16359945A98A8DA1BE6B7E489BBB2776B930704F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.717{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449B1AC83995AADCCBEF74A1EDDA25E5,SHA256=AB4F3E48488E4FB18F3021888C08DE8761D0B1AD4D94EA92189F53BC88FB1A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.717{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=420F7249932AF9BA28247FD8C70C4020,SHA256=7B5F39F954A63291BA196AAD8CC36418CB0EDFC01B893D9675265671A165C8FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB6-6112-FF06-00000000E601}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CB6-6112-FF06-00000000E601}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB6-6112-FF06-00000000E601}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.358{82855F7C-5CB6-6112-FF06-00000000E601}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:14.170{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CB604153F217E14780EE301828E95B,SHA256=65C33FB21F069D2089814EF5ED115069844685099614D8C735A43480EAFA25B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:15.416{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E43945CB8F40B0EDAF8E0F6160A698,SHA256=A73FD69E48C30BF4F85C2C6980B54807D2505C01B4422AEC7CE2BC38046F98EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB7-6112-0107-00000000E601}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5CB7-6112-0107-00000000E601}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB7-6112-0107-00000000E601}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.936{82855F7C-5CB7-6112-0107-00000000E601}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.201{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078BAEAB5B3903CC2AFEE02B0EC6F05D,SHA256=DF68B24C9E105F351E3A71286827689FCFF835880F8F6715737898EAD6E06FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:16.431{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B5F0AB1E5A2FB03F4EE97E5A9430BD,SHA256=36FDFDA24139474DEB08B72BF33380782BFB5AF7B11D20AFA2B495500842DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:15.016{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.748{82855F7C-5CB8-6112-0207-00000000E601}8882460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB8-6112-0207-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CB8-6112-0207-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB8-6112-0207-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.608{82855F7C-5CB8-6112-0207-00000000E601}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.217{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AEB7D50DA7C265585AA800172B54D0,SHA256=969C120C74FE5124EE1B1B59C45A16FF86DCC3ADF61A20CC4E57DDFCB77DA4F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.139{82855F7C-5CB7-6112-0107-00000000E601}1200588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:16.030{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449B1AC83995AADCCBEF74A1EDDA25E5,SHA256=AB4F3E48488E4FB18F3021888C08DE8761D0B1AD4D94EA92189F53BC88FB1A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:17.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE4A5E93E6DAED5F992976304F66005,SHA256=0B53EC3209CC0C8983C515183A9A57D2B1D82DF1B8E46A708D394409682111D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB9-6112-0407-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CB9-6112-0407-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.951{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB9-6112-0407-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.952{82855F7C-5CB9-6112-0407-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.842{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75146D33FC20807E8567D4466FEDBF87,SHA256=3900044C1A0E3A62A7203B555362ABB141F9C80BD025B1D2923AAEAA3EC688A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.483{82855F7C-5CB9-6112-0307-00000000E601}17443404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CB9-6112-0307-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CB9-6112-0307-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CB9-6112-0307-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.280{82855F7C-5CB9-6112-0307-00000000E601}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:17.233{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978F86E54DB393B70287BF50576B0E78,SHA256=AB186B586463ECDB85AE4FA020E1F1581BBBA80E7E9B2DB142D785AE5CB9A1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.704{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.630{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000049455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.630{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000049454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:02:18.630{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.69.184929727C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:02:18.630{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.69.184929727C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.461{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F86AD69A0ADFE298F18D287AD12B0D,SHA256=496269B0537C38813F0C019D8836C4011A80833C3FFD09DB552CA1880D1D21D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:18.967{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA7DEDA1F8B3AADF669E0FF83C14A0B,SHA256=ED0EE9B3E089840AA5D18A04082D2CB694C629EF6F6C55A1B18E7702E09DEC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:18.264{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4BFA05C741CB7D3EB78D4BBFC5643,SHA256=E5518B2942E43291E4172588235531C9FDBDA5317E650F5A0E1B779E573AF6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:19.463{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A828242A8D6255E50D492E49D42D390,SHA256=071DCE6A961498C9058ADF63A02789D9E084068C90A7DB8B5399E5BC700E1233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:19.280{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F444B5B6AB7A2FB4125AD86FAD163E,SHA256=278370B362527955E59AE949E807AC4621EAEB48180CC203789DDC06CD874CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.164{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64590-false104.244.42.130-443https 354300x800000000000000049460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.156{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64589-false104.244.42.130-443https 23542300x800000000000000049459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:20.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D201A2F092D4A0EB5707A216C3FBED7E,SHA256=F8230D612E4ABD1B5D557C7E0C30F4C8CD6646EB927CEADBD1607FCB23F56D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:20.295{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB686ED731784B5014560C345564103,SHA256=56D92EE55C676490B4C8D55FD28677FF3A9848EA1CA61D244798A8DAED1C3A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:21.896{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8290AE3DB227A9E12E72390F6B9610,SHA256=0D0AEBF6D338BEB67CCC98102F36BCD72FA7B4EF03608D71E97E99C6A07CDA4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:18.681{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64591-false10.0.1.12-8000- 23542300x800000000000000035536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:21.311{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81F45B7B00CE70BC34C30CF24F13010,SHA256=CA0A25C0F101A8154DDEB0EA6437839A20E45FA70C5947C6FE47914608A23B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:22.817{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F583EEA0E40C9CF1D8FD9146DD5E9B2,SHA256=FB729367ED874762020C89ADFF2615C0CF37D4E762091EC2404E9E9B7578509C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:22.358{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A1DAF2E7609C5F0E809B06B50E27DB,SHA256=1CA11E0478150BF2E4A747D2755230ED767B6BED05D456D11B1299E4DB8FDD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:23.832{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B801751CD2E6BE23E1C422432B6D8CA,SHA256=FB75A32114D35C346665E05F764CA12F90221BD54D82D37F4EA54CA067617120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:23.420{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CCB4BDA98BDB427B091B8416FB8541,SHA256=9D3CB7ECF499AC4E5A01B9AE422ACF085F2A05E7E3C606609E3D0A643E721559,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:20.891{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:24.916{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.files\1MD5=AAFBEBCF643EC0E1EC75DA7E16B73988,SHA256=60FE734E33B13297AAEAB5FE790E7D62F6251FAF54F621857D1C54AE6EFBA86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:24.847{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371D2D78AE86FBE784C6C4C1C29F2A0E,SHA256=7A20D377BA29108D92BB52C34584FFE9C413D081004E8425DC032B5CE033FDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:24.483{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9A392A84B885C3C0F70A4BB1B99DF,SHA256=392B5566B3D03FCCEC955BA13617972E421CEE2F1C0057017A0606C7EC7AED06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:25.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708D8C0E434042062A44058242DEEE50,SHA256=7A672E9797DBB330B73FE6DDBF99660B483FED7571DE67EC645EE0AA05EED060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:25.498{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084C274051344323ED02835120819D0,SHA256=631C7E926F4734B6A7AFF2BF7C27BCFADB84A7A3E63D90B3105D8B4B1F371FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:24.581{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64592-false10.0.1.12-8000- 23542300x800000000000000049506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:26.877{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9719C4DC78870E4459B81806E7FB0DE,SHA256=FA3A0598F5ED30BE417043B53D5891E623B3B3D4952A0EEFA493D078F496E685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:26.498{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F593E4F1994AD1A4A45B5BFE67C8AF,SHA256=BF79E07EA580256434E226B6391C86401725BE3666474CBE242F335DFD57641A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:23.347{82855F7C-367E-6112-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-456.attackrange.local138netbios-dgm 354300x800000000000000035542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:23.347{82855F7C-367E-6112-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-456.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000049508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:27.894{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3E02A740B0D8F838A9090EB599D18B,SHA256=5F9F0A07B7E44C9A41E1ECA576BB1277F6ABAC6FAD6F6557E58400E69E03AD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:27.530{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F528253E8E61CAFC2952DE05C67B55,SHA256=ABE3E56B42D8587DEF8D209EA19DA038988D43904E2A06B21A611C09B0EA40C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:28.899{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AECDCBE495A0A1313029C7F8C2A9B17,SHA256=3F05D6B20AC28BB4BCCC16A0EB3BD1D42E7C3DCAB37A82DCB2ABEA3A681A891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:28.561{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857C11304D4E019AB88865E7D611C6FF,SHA256=D61E7D5B4ADCC834259F65E2671692C166F5F1E17F886914F528793116139B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:29.949{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025CD1C3B16A3CD3DE6C4E601BDFBCA4,SHA256=A1D4977C5B5851E39DD9F42D4BAE275FF598DE3ABBEE36FFC060CBB108BA2600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:29.566{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8679490133A351D203C2DBC903E5D2,SHA256=F4F075E7AD5BB2D8AEE437E4E1BC5F9869D8F88BB7CAEF80C634E6E2241ABAC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:26.875{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.964{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D485FDAAE61575522F203068F1D2D67,SHA256=CE4162ADBB6F5060FFFA34D03DD60B6844C2712D9CB3B530C423A2BFC87C0F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:30.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089ADACBC2EE66E03AFB292193F00DD4,SHA256=65BE6BEA8B8A084B9986CEB0E5004AE36857603FF5C9FED2F9EB7E854603081D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.917{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=9568C73C43DBE14E87F7950270892CCD,SHA256=939456672C12352CCE7519038F865D482FE96AE7B5E54CD4CFEE9BBCCA94EDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=17402543CCF964FA9C9C4E99289DAB4F,SHA256=38C8F3587FE5F53A96A0AA0AED110871DD241434D7E352B7AA6E804CE992DDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=76AD664A697D06EA2C542C998B8226DE,SHA256=58720F3482425F0197F64646ACA960B4CA511EE594165149C893FCFB581C7CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9C8D32946B215569018F826C57A5E803,SHA256=DAA53393C7358C060FA5D823318E4A457EEE82D44E4EBDABBA5B4CC9B067AA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=9B56D983F5F32300DD16A6B4C92932A6,SHA256=F7C2DD33B2E9BC2707A31758259FF6EC8611BB8EE5A0A4EFE57F8D2A85D39F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=165884E753A2F248D3150347B2697063,SHA256=17139CDF3C5F12E6507ADD94738270F63B991EE4044E25950793EE728646EC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=BD1C0D81B778C1FBEDD289FF82405C8F,SHA256=028A8B2C94CF0E433693AA4CA9B0667C0E7F3BBAA5430EB34EFC8DAB179F7F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.017{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=6D15D553368969447F216A066218FA27,SHA256=63B7F123D87DB55169DC5E210338B2F2BA6336DB8D6B483F6070F12403E672E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:31.659{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E90BCCEF783825E28A4D66D92A02FBD,SHA256=FFB3DDC76A8BA0F822282FABC2F959A90F2B5F666F045097A6BC3450CD63CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:31.996{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8897CC430AFE0603A65B933CE7437F0,SHA256=DDD588ECF0960A6FE787F303D38F7C0FDF5F0977F4C52B091277896EF5BF913C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:32.675{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009335C61BDBDF009B373F956C0BCF28,SHA256=A463C4D6F5062CCEC1988AE63E3E73F93F502E13AB057029DF14CCB2DB1C65C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:30.550{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64593-false10.0.1.12-8000- 23542300x800000000000000035552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:33.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90D0BBB948BF84A9C9DFECA2F64EEFB,SHA256=1CF93A3C5C7CDD9D854F5A123E543E5C9A15D246108F2577D07B9D263D60924E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:31.513{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64594-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000049526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:31.513{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64594-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000049525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:33.915{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:33.100{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A669BDD17E336475E2F4E00E611511D0,SHA256=E111C75038CE9DACF29D6127A8A931AF9549724C76A9F32F5062CC4EDA031C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:33.100{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=298AADEB1623CBC4084152EAECF104C1,SHA256=5C2657B22279C26FA1AECE2B9FD53790B93474DA59A2ACD08D6061B9AB636CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:33.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0255060809B7517781B3FF88C086322C,SHA256=8299C6ABBEE989434774DF758571A77B83B1197C6712036AE75E74914CB823F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:34.722{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33DC769489BC958D35207FCD7A2A9DA,SHA256=8113AE42A374581703C751D7791C47887CF8FB0FD3BB7592E0B5789FD90D0B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:34.030{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FB4F82697E3B6359C1AC70CCE4D05F,SHA256=E9B0FF7EB1C538C6033589F87DF6F6479FA6620989D563BF91083A6AAA9BF3E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:32.005{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:35.722{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF168C5765B16273FCEBCE0F7DF0EE2,SHA256=36C4AB69F77CF6AE836C66557C667BF3B7CDF960ABCECFAC048D5BAF4FD541E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:35.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BD8AE527A035CD034A8876347E97BB,SHA256=F68F7D9F92E2455E07E560BD0F1E6BB0669F48DD8DDF0F1222D677DCDA365F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:36.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66690767C199A37F717FBC2CE0F9F5FF,SHA256=1FAAF51A3C3359F6E3C58C5DCC71993A8639579E3FDD463F2348DBA71042351F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:36.060{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A33A90BF63C18789C6CA336B362404,SHA256=22CC10A25D05ED5DA11B5C9B3A1B6BC79C833B6FCB32EC20DC5414F931A73BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:33.327{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64595-false10.0.1.12-8089- 23542300x800000000000000035557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:37.784{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFDFA479E1D0AE834F46322779DA0CB,SHA256=AF94F4CE416D1FC14678ADA395AA38363F013D0A7A995781DD645708BEA7C098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:37.075{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B2EF9D116853751B5E16E84890AE5D,SHA256=B0CBF373F0416CF66BA07683EBE0236600C4109FB92785344F03C713F911BDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:38.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0511320CE799F6D5907552B3D540C686,SHA256=B39B5C947B58D56C9EECAA891A086A1608B167085DEF7AF12A93E3F38C35D56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:38.092{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E32D6015FFC8F196C899E1A903463F9,SHA256=A8D0B281D0DB218398667BD1F8645C1960F6570D5391B8CE94EE6ED1A9D8E6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:39.862{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91F90285DF3A42DFA88C030DA2165CF,SHA256=9C8993C72238347B5E86C0A20CB09F7C737DB51B405B455A484AE744BDAA2E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:36.562{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64596-false10.0.1.12-8000- 23542300x800000000000000049534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:39.111{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7EF34CDB3FA6633714841502B8E38B,SHA256=3F15ED2B46EB42497F5A756296D5922C8BFB2569F03EB072C83B701321D993F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:37.927{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:40.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93167C22CBF5548BEEA9879819439AC,SHA256=A369152DDF2AC4C05542E7FEC682BEDD32AEA8C801FC48EA4F946575C6F7B8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:40.113{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC252F83B6E8EB2E3BFA51E1C6BAF3,SHA256=5F5B689AAED686DB78CA56A1C4261082A238D8AB8079596DB7BD0042C363F4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:41.909{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F16C57F7C797E45E81618B234488282,SHA256=B4925DFE3707DA2242371057C80FF8EB4ED0129E0D6C83E65199817C64341249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:41.114{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A01BC13D2EB771BC460F2A76885EC13,SHA256=CB54E25A4FA6169BA55F5CF25C6319BCB5D87F6D6C22E40E55F1CDE80E6EA3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:42.956{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B129E2941EA5E91C917D1937761153D7,SHA256=8386DA495420615F2C0BBFDF1507959E1F0BB06953F2318939988A0DCA53B629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:42.144{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086DE43C18089E9B380F990110819A7E,SHA256=54FD4680CEB0DA4F61D9DCAB7AD47B6DECE55F51B8194E7FC5BD3D144750E597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:43.987{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E23964DEF8A3DFF0A70F59F2B37D7F,SHA256=07E986F17B691CBE88A7501A095C0113774EE15CB9FE3B242A64C428AC5A4B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:43.159{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDB8A31CB9AD2DC73B52A8B409EA932,SHA256=4E80C02D3EC132EFDEC834E89BFE8084035F5B94DAB68CFFAA55846F11FB62E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:42.508{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64597-false10.0.1.12-8000- 23542300x800000000000000049540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:44.193{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70552F15C0FF0006561A6AB8A8F9F0B3,SHA256=B0466D0038A0F532A2E4AFC9ED82C90399FAAC6EC2EBB5B21A7001279EB33AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:43.020{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51689-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:45.213{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D53F2A1993007900BCF20B4F613064D,SHA256=ACF7F04442797E8BD5CECA8DC39A3873CCDE815FAFFAF618857EA87A0061EEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:45.003{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBA8993183FC8826553C190DD3A258F,SHA256=820590B8924523B8BF21CB69CC70042C8F6A44AF2334D51209F13356ADA8C091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:46.019{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B967397DAA1F881B3F6310B081D1C2BA,SHA256=89148848B7F3674988FCEAD2AEA8C3535038E9E0B9B7F1800C802B122734B453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:46.228{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4AE0870D4CAA1A256F3A9A275C0898,SHA256=C02A0ED4B46A3960EC74B85DEF68013DDB5F311251FDB5759675F5909FB181F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:47.243{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BC0DFAD82193D534302AA1E966B1C3,SHA256=23C0546821C08CAB3760BE7EAC0306E4C35B7930373888877B6277E848B1BBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:47.081{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D42F560B8A417161E4EDB4DBB0A01,SHA256=882587B10C9414962BE59F02837462193DCAD360A079F56C8B460E741757A30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:48.258{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A122C3B1C1753F82B9703873EDA54613,SHA256=1837B38BFCF967BF9186664E0AB077C720285714149E1E920AFB566A16843D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:48.112{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706672722743371004759AC357361EE0,SHA256=A3B39787F582E549A233DF792863E18B3D6056F87164C432E64C455858D89AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:49.272{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571D2E8543C9BA62B30BEBE40F9EF62B,SHA256=1A8D304EE12950C5AC3246DB027DE59B25D9BEE579DEBBE1595A4F8A42C662ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:49.175{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476DED5C8D63F6DED0D33CD2BD9FC4B,SHA256=6CAC57479D2E5C7B3B74723AFAFC7B986928687273F98D9EEF96ADE279907A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:47.607{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64598-false10.0.1.12-8000- 23542300x800000000000000049548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:50.290{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC9F457314AA4D4816B0978D26A6A92,SHA256=B9B41C66CA38F050AF8025B213C17F5E4C457DBEB9AFFB77B961D029140E49B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:48.770{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:50.234{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099FC968A479E86A5290FA27D69B9070,SHA256=9C40919493339A001DE3AB0CD49B6CC7FD421AFA83A9F9FD4E786A8D4B77629B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:50.240{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF9d6a66.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:51.249{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2397E0729C1742EEEF63644C16BC9E20,SHA256=B22B9DCD314C864EFAC18189850AE8691F5158FD0A22FBF3F3D4BAE2EFFF2567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:51.308{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FF35BAB6AF384D180430E285B5AD07,SHA256=D8D46032B4D8550F4558CD99A9765304E03F5EB714597512BF0E6EDFA53CC665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:52.324{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD61B4DD5FF7D0366A2614F772CDA84B,SHA256=61A7FA1E7AA5F2543A19AF8EDFFDCC7E47BE814A4C228817706F159CA2BA3F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:52.265{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C65441BAEF0D207840512355DB9F62B,SHA256=C40F42CD3A9FF9BDE5784728AFD0470CE99F9951739834A534BD7027AC1180B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:53.339{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE30619B0402E4625F2815ED99410AA5,SHA256=7B9FE2B411656CDF47B8F9CDB65157C0267ABF6D21231E6B9BDD5FB9373E0E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:53.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE1B6B5ED5D6F60BCF4D9937C961842,SHA256=58CB82E84B57DBD4C2495E090D9A1F156A97B71D4416832C8CEC8453C3500D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:54.354{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E36E521EC4CC1DA0274632B76E566,SHA256=E5F2A37C9F3D5C4C6678686B56CD2871BCA8B9C9FBC5A27FF7988408B897291B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:54.312{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AA7DDEAAAE1EBA729E4F8C6B591941,SHA256=11DB5083838902492EB3AADD227555DA7FC3EADD264CCF156C027DEBF057FB26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:53.907{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51691-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:55.328{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E7F422AA9ED51239014F3FDAB0FA29,SHA256=D0F1AA4FFFFC96490115EC4C47B76ADA56EFAEA0AD6C3D94E9EB6345C46A7B2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.506{82A15F94-5CDF-6112-9508-00000000E501}52806940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000049563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:53.556{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64599-false10.0.1.12-8000- 23542300x800000000000000049562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.368{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1BAC98DB9AC704D0CEE71A70E0C408,SHA256=E233BD9E66909936E2083D375D346D7B8169BF87D5F63D6362B90DEEDFBFE1D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CDF-6112-9508-00000000E501}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CDF-6112-9508-00000000E501}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.337{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CDF-6112-9508-00000000E501}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:55.338{82A15F94-5CDF-6112-9508-00000000E501}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.688{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE0-6112-9708-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.686{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.686{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.685{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.685{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.685{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CE0-6112-9708-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.685{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE0-6112-9708-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.684{82A15F94-5CE0-6112-9708-00000000E501}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.389{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BECD3F0B09FCB058B61EEE5685BA93,SHA256=795C620C0184C08971A9D49B714F09330AED1F21114F9D44A817D0BB22859175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:56.343{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDB75B548A5C636D6DD63ECC464B29A,SHA256=5C51BF61C8F0086844DF0C7FBF1F8B87EBDBCFBAA9D89F38EE320982EDFAE355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.352{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5424A4CB575C0E24ABD037A8AA623861,SHA256=791AE8C4743D75872BC3DEA60C3A66579B6615CDBB212AC562D361A49D805893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.352{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A669BDD17E336475E2F4E00E611511D0,SHA256=E111C75038CE9DACF29D6127A8A931AF9549724C76A9F32F5062CC4EDA031C87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE0-6112-9608-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5CE0-6112-9608-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.021{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE0-6112-9608-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:56.022{82A15F94-5CE0-6112-9608-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.704{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5424A4CB575C0E24ABD037A8AA623861,SHA256=791AE8C4743D75872BC3DEA60C3A66579B6615CDBB212AC562D361A49D805893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.567{82A15F94-5CE1-6112-9808-00000000E501}39962388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.489{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6210DE6EDDC1B0CC614D2FFCC22655E,SHA256=AACC19A8CD52349F4F73D0CEB5BB9949A98FD1A795C22F901C93A2DA69F48C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:57.359{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103CBAD8F36236E05872710FA70957B4,SHA256=831401BE31FEF97D9F6B6E11F65642107C7418DFB0F6D3B5BD6B4DFE8E99C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE1-6112-9808-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5CE1-6112-9808-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.420{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE1-6112-9808-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:57.421{82A15F94-5CE1-6112-9808-00000000E501}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:58.361{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49512D91F0A318920A39562F9BFE0AC5,SHA256=7797CC50B863FE55B1AF56CCE49EEBF90F50172BFA4D7EF50B7B3929DECC9307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.955{82A15F94-5CE2-6112-9A08-00000000E501}24726000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.791{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE2-6112-9A08-00000000E501}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.789{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.789{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.789{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.789{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.789{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CE2-6112-9A08-00000000E501}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.788{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE2-6112-9A08-00000000E501}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.787{82A15F94-5CE2-6112-9A08-00000000E501}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.509{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2C5406AF6E93A7AB51A57B36DC42D0,SHA256=95CDCF8D63FEDFCABF9345DA7DA3589F562A9B9FDF93AEA9D6A9BCF746F9E14A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.271{82A15F94-5CE2-6112-9908-00000000E501}64122368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE2-6112-9908-00000000E501}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5CE2-6112-9908-00000000E501}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.104{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE2-6112-9908-00000000E501}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:58.105{82A15F94-5CE2-6112-9908-00000000E501}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:59.389{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A23EA36B1750FD6B9C15058EC969A01,SHA256=2BFC9DF6AB6C05F613CC5AE364D00C036094354E53388FDA4965A2025672E6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.523{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FE563716B4F8D16DA1832A0E108032,SHA256=68B78708B9969EF5DA3E38676F36FE8D5F0E31EA2953EDF97D24C68A08C40629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5CE3-6112-9B08-00000000E501}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5CE3-6112-9B08-00000000E501}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5CE3-6112-9B08-00000000E501}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.455{82A15F94-5CE3-6112-9B08-00000000E501}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.108{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2455F65EC92DC0C9343781CAA8B866E7,SHA256=D1208BC67B871E5E16DD87BC0A49FDB11221021705DE0BABC5347C7B8F4B9A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:00.572{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96287A8406932635166EF61ECF6039FC,SHA256=5D29ADECD834B15C3B53D76662C4A186F0B6945FF117FA5EEEA0A357014887EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:00.422{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353AE4B7FEAE45A16A3B16F39DA51125,SHA256=3F7B668AA386924BD2128F1F025199F38947D5714EEFB147E43BF1A2C3736EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:00.472{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9CC4889B7EB580BA72A6B56A4F544B,SHA256=C17394593F282CCCB9546F4DF813E43E0293A1AD1A18F9E553685773395FF250,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:02:59.475{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64600-false10.0.1.12-8000- 23542300x800000000000000049626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:01.590{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40215616D3B8E533EA3458B6F98EF8F9,SHA256=033AC497D4381623079C2B09381A16FC2F86976E7DC4683CC7E18CC54A56C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:01.438{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF3F203E95CE967185415ACD1517F6A,SHA256=BC8B77E8F39BAA3E85AFE2F0ACA9A29BF3B0D7D1C9EFA74EAF7FEEC57ECB8F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:02.624{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC8ACCF5A38D1846265D75FBB887D4D,SHA256=0483794D27A43D2887D7D2EE49A5BB601217EAADB37872FE07FBB8D24CC5D94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:02.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89E8A10DF3E6B6E1340093BFB6835B0,SHA256=9CD9F2386433BE782CEE33385EBBE45AC08F8F5B5054B8E01D32A554ABC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:02.209{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD0C361CE4CD5905B7848A2A3F963A93,SHA256=E26A8FEF5115A7642CFCB0EEDE5ED4CAB09B81DB6D09AF64B383780F1F9679FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:02:59.892{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:03.640{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1191D30E6F7232FB3808F7F356FD06A,SHA256=BE09D545F9D3702C7C4C9FDA4D557133183C2214A75865878CE1F30465A5AD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:03.469{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D579DD53117771DAAC4CBD26B64B8F1,SHA256=14109C7F699148094FB4D0FFCB5DEE1C8EEBFC7F3B68BB2DD02B4E85210DC828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:04.655{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32962F2CE5E5EA724E402318C6AA2875,SHA256=0A8AD216CDC8EAC7D0D7AA48864BE4884446E340016824EFBE8E9D1BE0E7BF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:04.485{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2DB95734CC8DB959F8EEDC4EB65F05,SHA256=03E6C5C3FD558AB4624E17482E7B9B13B269BD24484D9770F14D33DEA88A832C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:04.219{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:05.669{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3FD50532BDC1E1A51D925EBF1F6379,SHA256=1486D721C671708691573B0E69D263D56266896AE08B19D4EE32CAFDE910D3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:05.500{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669BABB845B98A0C3B13C329561FCAA7,SHA256=7C38DAE9F0E5A29CF73CE15801AA72E67C918FF3A077578D862A860CD04F630C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:06.686{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE115DB0B34F5DCE2885B83E1A626D,SHA256=9F5A4F340FD7A1ABC5C4939584632473DF205B557BE61B97D6C20423EEBF11FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:06.547{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E836D96695D9E131970CB7461B8794,SHA256=63D4C4A8A2C772A4A82CF106D09FE038E2EB34671A78213AB472B26202C4B3D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:03.971{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000049635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:04.641{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64601-false10.0.1.12-8000- 23542300x800000000000000049634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:07.706{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95508CD2792604712ECF5521E24C2EF4,SHA256=216832358956C70BDD4128FADB85D5CDEED04613844BF393706E978DA104859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:07.610{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FBFBD51B82024265E21F53B43F7C84,SHA256=A05CAF79C6CA5599A8B072DCBEF251B5A019D57C3222E29312C38ACB4C53E334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:08.768{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE354F497187C96F71993E092BD4A848,SHA256=16FF0FFBFEFCA4714CE466920ACEAFC7F3FC07CA9997F32C2FA763009C2A072A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:08.625{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7E9F8F0981650C5B004C370E94CE4,SHA256=DE13D26F4A4FA00E23618EAE13ACB4238E039EFD69BF83D5D9DEEADA0C0F5961,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:05.877{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51694-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:09.768{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD1976F337E26BEB00887DE82C7E85C,SHA256=9A48644D471B204D3F0BE4A3E140DE72A73FB122AD604DCCD83B4CA06541EF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:09.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4859C63961BE82B4B6D288FE76EB0157,SHA256=4D36307D5DC5307856C9B5B5137807323769393D89350BA3B3B9DBF3D522B6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.787{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2356BB1F7A091460F4667B353A4C593,SHA256=54FB066BEF4731258F7FC8D9912A7C29C85BA6BC4CCAD6B7D9E086181716B73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:10.644{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1456F788A9B0B344BBD78B71E9A5BC,SHA256=F821C278A7A6DBD63D00E508285147A979E27E9DC9EFBAFE55ACC4FB4E8B8DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=5171B00381B8D2CBBEDD036AB0DA782A,SHA256=47C1F6F77A5A9AD1D8C1562BD2E09BC652C1141B392EA489B959006073AB61BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F8443BC3F6E22C8778E3B174FEB6FBD7,SHA256=4DCB8A626EEA95C665E5092F0F29A36B40CA1487C281E10737A0AD05E71FD169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C393FD57EC9AF2EA5773A3DA6715438B,SHA256=7C0A6459FBCDB01AA601AD0E760B69968B512C22378784358F47ED7B135909C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C859153373FE0580F142F597ED63F9D5,SHA256=14778CBD9CB55914D9E09CB771A7C69B8002815B4BA832B835A598A7EB677FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=DA2504CEA4D01DF7787ECB9AB0873F59,SHA256=70D513C8838D20E016B6A27A0A95D7C08B659ABA3BE4125A93E902945077E809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=981BAA24452F58A45117CB131B14111A,SHA256=87D01C82FF1CC3BBDDC9F7A3C806F33BF50E699822C171B48390BF2BF78C1119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.149{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=27E196E90170B7964C94041AA384563B,SHA256=BA809E3B52137E82ED2EB0DC804BB65AC313E6E57DF01E3A9C18FF539D28501C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:11.805{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF42538B074CDD2F5E51AE72B87F837,SHA256=B5CDFC27A59A4A6DF286517AB83B96FFFA94643C79A83CAE2CFB5BA8892A346E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:11.691{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FCA2D14D25AC56FF6326C7DA0AF674,SHA256=94BD015558DDB4C37B92237A7EFCE5855FA8597884ADB6D0939521A8869C8742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:12.805{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B5E46C57E69B4F0F4B7D7F4EBC11AC,SHA256=9C68B00EA2CAC322368914FD961F706348EA8DD11DFD38C29ADD25D06E779EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:12.707{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E358E5D18E889A4FACF6F1FFD362D5B6,SHA256=E88350BF1CE4B57E2255A776EA52841D34918386BF4BDACA6403C98A58232F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:10.973{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:10.670{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64602-false10.0.1.12-8000- 23542300x800000000000000049648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:13.805{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF706059D2A466DB6E7F3A3D0AEBBF3,SHA256=A4AA1FDA0BEDC26B69DC7CAA81E8BB7CB012144F3261566EF873DE7ABBD59895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.738{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F365F0ADDF103D3A572EABE76D70D09,SHA256=94256284DDFEF28ED1585978D2534FD9CE1953EBF23EF16258BD191993EA2FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF1-6112-0507-00000000E601}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CF1-6112-0507-00000000E601}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF1-6112-0507-00000000E601}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:13.691{82855F7C-5CF1-6112-0507-00000000E601}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:14.836{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD584714D109336FDCA103EA1AD7E97B,SHA256=E1ADF77FD50B35028B7C990BA875E499F9B23E84A6027B08B86082BDEA07D7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.910{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EB4521D6CD1B62164715DEE2C2EB8355,SHA256=91B888179E86140D21EDB429F992FCA7B3C40F91ED41F59D6490132BF0906600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D549E2138DFAC0CB068CB549CE6558,SHA256=B82B4F32AAA487CD878A99D63F11EC05ABCC2566FF391204F34285D0155F782A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.706{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D923B06242BA4B31E6C943551682B68C,SHA256=29B3BCBF841288546E9CDC757FC5DD2891561BD345628F800D056181AE72947C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.706{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56F83E2A0945F617251E336A60074E50,SHA256=9F0408E76A36D2C25B7E4C85F8731D3082A3A29B4EFC1C1A69E2496A37FCD7F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF2-6112-0607-00000000E601}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CF2-6112-0607-00000000E601}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF2-6112-0607-00000000E601}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:14.363{82855F7C-5CF2-6112-0607-00000000E601}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF3-6112-0807-00000000E601}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CF3-6112-0807-00000000E601}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.941{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF3-6112-0807-00000000E601}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.942{82855F7C-5CF3-6112-0807-00000000E601}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DD55D6061A232514960C86930E9A1,SHA256=A6DE5DF71FDF9118DD77FCE002A841722B2BE609E919502B701D046170F7D075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:15.867{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B2EBCFEFE1EB64DFCA389755245A0,SHA256=30119E18DBF5ED119EB4CBB86C20319AD04DA6C993200F9925E0FCD576634BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.222{82855F7C-5CF3-6112-0707-00000000E601}10362648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF3-6112-0707-00000000E601}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CF3-6112-0707-00000000E601}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF3-6112-0707-00000000E601}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.035{82855F7C-5CF3-6112-0707-00000000E601}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:16.919{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0CE755612E43510C04AD3E991F3C9C,SHA256=71AD8A7C5D531FF0B670839853C67D8EA2C10981FFAB25B41BE1E782BDCC64F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.613{82855F7C-5CF4-6112-0907-00000000E601}26163272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF4-6112-0907-00000000E601}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5CF4-6112-0907-00000000E601}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.456{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF4-6112-0907-00000000E601}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.457{82855F7C-5CF4-6112-0907-00000000E601}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.253{82855F7C-5CF3-6112-0807-00000000E601}28763544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:16.144{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D923B06242BA4B31E6C943551682B68C,SHA256=29B3BCBF841288546E9CDC757FC5DD2891561BD345628F800D056181AE72947C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:17.934{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242CB8994D8388EBB311C9D4BEDAE34B,SHA256=FC983530F667F3F558CE4498EE8F29475AE51A44593BFB3D634053FCBBD295A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.847{82855F7C-5CF5-6112-0B07-00000000E601}26683136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000035704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:15.989{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF5-6112-0B07-00000000E601}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CF5-6112-0B07-00000000E601}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.675{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF5-6112-0B07-00000000E601}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.676{82855F7C-5CF5-6112-0B07-00000000E601}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.628{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A4E1931AE4B9A506672A9359A2CA81B,SHA256=CF03456D5A0FECFE77A994D1462CB282306BF506BAFE12FBBD2FE4A83D12C25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.316{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0813566D078C974F1E16843733EE19,SHA256=ACE839A729A7D09FD59B5ED987D754534CF8213C83ACDE0A98DF3DAE654B9D33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5CF5-6112-0A07-00000000E601}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5CF5-6112-0A07-00000000E601}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.128{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5CF5-6112-0A07-00000000E601}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:17.129{82855F7C-5CF5-6112-0A07-00000000E601}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:18.937{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7AE1979B1CF78434BED98A8D738E5C,SHA256=86D6021970AB0B007087EF02BBBEB7439AF3612427C6F12338BDD3DCC61578B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:18.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E7928C96D3472E39C337EA00CB8D67,SHA256=1A8B49346F659B586C219DCC80F9F0175F15257B986EA89850CE67AC297B6DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:18.316{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F9471706C5237A13D027AAD91EC57B,SHA256=384A3F2F92431CA92CCE05F1F56A428B2DCACCC8D2B662B282043773DC9B5B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:18.687{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:18.650{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000049656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:18.634{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000049655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:03:18.634{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.24.53515909C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:03:18.634{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.24.53515909C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:19.949{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60757BC63D858D3F5825816DE45B53B,SHA256=8DA6D7E0A16427BD827026927DDA7A0F6C71771F0B442ADBE7CF6B352FBBD154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:19.550{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C698636FF5AA25C581D5CF7B815A91C,SHA256=D2BE8788CB63AFF05D5C2AC96CDA4CB617218FA55DDBA718187A0C0439CB5EAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:16.437{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64603-false10.0.1.12-8000- 23542300x800000000000000049662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:20.963{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC830AEBEE9B4650BAFFA138D9C7209,SHA256=FCF6F49CA4E66AC6B639D08B66D844FF0529C007448CC2F55C01034DE7D9779F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:20.566{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A055CF58004948A7D146F774ED72D5F,SHA256=442508D00542DE74408166C889D1D7FE134946631E754354DCF7E08B00C75291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:21.981{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9920D6018C2F4E7838DFFEE0EFADC20,SHA256=C9E297263E7FA2DA6FB5A93996AAA6FFC9E45F66388EFB11F2E238BF7764A2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:21.581{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF9681A8B70C0010E3396D69D64C1F5,SHA256=F04CEF6CDCEDF600ADE6F183E03EAF38418AEB41FB3A184E0A93F1772E658C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:22.613{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DFA76FCD860F219C5EA6F5BEBC35AE,SHA256=F4E6F90FA7284A6469E3DA97C513842E23F4F2649FB0386D006AB000048C21FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:23.660{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44885ADEB34A7551329E04CB2D04C03A,SHA256=3A58B5CB4DECAA048E765A81FB26EA82CC8AE28EBC2B9986E04DE53D7FA21ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:22.999{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F10BA6BBFE88F66A89D513B1EEAA4F6,SHA256=27D086F09B8A879F0246F375A98D7C9145501F63082EEC0FE22F108C02018834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:24.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8545DD29494C77D961E1939897D7DE7D,SHA256=79EE35D18D55DAF9A6365DBED8BB240B70AC4836A67F268C6C6FAE0A334498F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:21.596{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64604-false10.0.1.12-8000- 23542300x800000000000000049665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:24.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C89BE7FBF57444A1505E808AD07DD9,SHA256=C77138CE8B3A0B2AC1EE754EC61BC03F1675EA1E46B0037ED3D2912E0D895589,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:22.004{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:25.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553524747762B623610996FC967D2807,SHA256=2C67D6637DE64D59BF30F1EBA4FDA534B715D2E3E8DCD235429D076734F4B600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:25.060{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3968B2D1CE99382CFB6E045162BECA0,SHA256=4054EFF044F8A16E03A06BDAA4621C2047AB42390742D0212F0C28606639CAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:26.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C984874F19BCEFA70BB59C344F7DCC9,SHA256=0100BAEAE86110863CB1E36D28FFD49C1EB340A0DBAC4B07D7DDD936FE782286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:26.078{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4732F82894BC9334878D46C234CEE0,SHA256=8FAD73A8C0D06A1426BF819C8B122E22CF774F535EEF8631BE7695CE4BDF3372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:27.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFA28AED1F022D385B0FD960C4FBDA8,SHA256=9E7E379ED7FF50E5A0FC6D230668D1E9558AA6EC885604404B8AABE47605F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:27.087{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F9A241210E19C09D6F2AF6AAFF78E6,SHA256=7367EA3AE393C8172FBC813591701DB2256CE3DE8E3106B09FA216C6E59AFF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:28.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B895BBB85DF7336A501DBE2EFFEE5A15,SHA256=432A657989E7097EC1610E94E5AE6589D8194C044516FDDEEB479C4614DFC83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:28.106{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFAEB932C3ABEBF78D3E17216373935,SHA256=48137770CD407B2292E38878636F5A54A336FE4ABA6BC73C305B4551CCFA7489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:29.895{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142500D0248941AD43B5B72258CD238D,SHA256=AF7E62B7914613039D6D23522275B36F78F3012626EB476DD6ABBE27FA824761,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:26.673{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64605-false10.0.1.12-8000- 23542300x800000000000000049671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:29.136{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFEAA7E233E1F4CF01CD6B2DBD06583,SHA256=20CD65F92A7EFD68108B8F505D61F63A51EBEFBB1FFB0D2DA5254555EB76A102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:27.801{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51698-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:30.910{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631C80468FDE2E11C8A055D16CEB25EA,SHA256=05A454100587F82C2EF8550C11AA5AE91CA542003247721F7E773E67A8C236D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:30.704{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:30.152{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4556810B9A5DB5D8DEB836A2CEC2F2,SHA256=26D1885F5A8F07CBCE6AD514052916F4CED9E1BBB9A2CC2873CA7BD8DF8A3E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:31.957{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18046C62FE71230CB0D55E8B58E798F,SHA256=A72E38711840317A4BCD92A36DEDCB3B7C5A1489B19B654F61DB015513251D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:31.166{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48EEDC46AA535A613C58635A33D5D84,SHA256=DF967E89515CA8AC5504544711658BD07A885735E9540DC5AD488AA6B024C3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:32.973{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F23763450C70356F9A3CDB94BCB727,SHA256=45BEFDF58261EE424082AE68A5E287BF1570559DE375AC8DC0621A9EBC17EBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:32.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2016058BE2AFCB5A87177B5BBE394EF,SHA256=5AC77B66010DAA0B3F23A9C894502BAE3ACE31C584BC6E48160A75712992DC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:33.917{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:31.537{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64606-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000049680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:31.537{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64606-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000049679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:33.203{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26ACD31ED0898E24D1EA2894AB26BEC1,SHA256=6971B85D03F7FD34C59ECAABCEF73C49BA75B46410F57B4D133C031DAEB9DB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:33.118{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A09C14EDEC40FDAAE3C88DD43B1ADF,SHA256=2F52DAF5D922419CF4B6538BACF216A96AC1F272810D0D23B44867803D799D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:33.118{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74B894134472169437C8CD90C7C53B9,SHA256=096A42912E5F4F59574754149F4691E9E4898DA2D57ADB3D6411F99FE160C0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:32.552{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64607-false10.0.1.12-8000- 23542300x800000000000000049683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:34.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB93289B7FC94243D417CEE821199E3C,SHA256=CB5B3BDB0DD735B8D99864E159FE8EBC7980753639F68B087995A8727D145960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:34.051{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2737165A417F66AA9D42B0A03F9679,SHA256=C81E63A281A5FCC3A3C2385310794B95C8299544C47611044992757CD5B2A7B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:33.351{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64608-false10.0.1.12-8089- 23542300x800000000000000049685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:35.248{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029E86139228ADAA12929D63834F60DF,SHA256=EA0194C5675E8094C1E6F120E6551D81835846D958B10E0BF451B9CFA559A557,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:33.818{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51699-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:35.067{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5B1F1D9B7AFB79F95B743FE213B297,SHA256=45E3E77305A57A5269E0697B8751AAAB491B461497F53CF9418D447A47684033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:36.263{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08949A1CDCC0DA1F982E67703F25ADB,SHA256=C76F276DA4CCDAD9E2959E599C4D46D07705376F5D7CA153A999DBEE7D976EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:36.129{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A00E14D789F4A7AE13E6BBC1EC1C28D,SHA256=F7A49A9ED3C0008FA6AFD233976211636A104B9C22DED52DEA1899599F5C8A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:37.746{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000049690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:37.746{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:37.746{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF9e2402.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:37.280{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83428212099BDF22F2C5407008D8928C,SHA256=06BBE4E2D3D85F00013C4A571822811C97E62337CD6C26FAEC08B4B061FD3CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:37.145{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3935087684EC6EAD626ADFAA3D95F8,SHA256=DAC658429B69866D7209D09A5C56F52372B4CDA7FF552F07631751CF7D335F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:38.314{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231ECF9BF9FB05CA36ACE3897A42D260,SHA256=D86B3539D38643B715845C7ACD4D78CDC8DB4C52EF07045122ED11C232B89DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:38.223{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4DB3EA929BB3F77B4B177D39B2ADD7,SHA256=CC589AE9E3C13FB649BA0430F131925D439C4043450D31003527C93900CB95B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:39.345{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FBBA428DA288EB9057AB46B938909E,SHA256=4B9FCFB085CBAC707A9896534E7014BB2C929042DAB863A17E37E36C386C2679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:39.238{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A736FE433DD2B5B7FAD9E0F1ABE1C14D,SHA256=860CA3A087C4EC8A9719F38B50C0EF70A20C65BDD18A4FAC9D8EE6051870C2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:40.345{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD0C7A0A3B8E7FFD75DBD185EE7FBAC,SHA256=393DA6951EB2C6627FF06DD14EB633FCC545653E5039205A60A460460EF8FB1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:38.942{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51700-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:40.254{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC857593EE5E251C2D7B2A39C5F2EB4,SHA256=5F3742B09FE772488CEEEE6F5E274B173E4B4A3358F760F1DAB40A976A6E9781,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:38.547{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64609-false10.0.1.12-8000- 23542300x800000000000000049695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:41.398{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42BC8EAE9DFC7BA06F872889D71127C,SHA256=4D7BFE01B5472EFC4C9C24881A55AE6D1932DC99328D140BB12E36ABD24113A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:41.285{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E16A26AE54A779ADFD6233ED333BED,SHA256=A6B1A022E5C47062C6E0DA360681D3132A0BD4469E4198E3D8DF94BFF02ECB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:42.301{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F8DD7581F7EBD82DD7C3CAF142A515,SHA256=1FC5B2DA728ECFB95422AC3986561719FE3FB11D17CFA56FD54CBD1CAD07A130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:42.416{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CB217954E9FEDAD0CF22C18C723F00,SHA256=8D44E8934CF91EF1CF5452101AF30AB9B73F9FE10550215991020F789A2F2BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:43.431{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355727538E7CDEA04E4752279DDDA777,SHA256=61B0E152E40CDCD7FBDDC3F5A63A77D2828DE476359182A4DAA3CCF347B7B84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:43.317{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD5C677A619EF90A025BC3FA9EAEEF1,SHA256=EB6E76F967EF2DD6C663D101AB645533EB0697951F8199E4CE166EA511A301A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:44.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAD209AE2D3DFE8B648BAC584E658F6,SHA256=1E2E793880776F067F5CB45166688031CB9340552E383BFFBD86F9684C666477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:44.332{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DFF2CD64F8107FECD14E6F717C2F42,SHA256=0E736F282EF70E7C881BF6DDDA27B569C4744D88582D178EF81C25EDCD30323D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:44.005{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:45.348{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C191CC1879FDB3D4F82CCB535D4B6F,SHA256=9D69F704DA1141F56CB3C0F314DAC820B7CFA69C3E88F902946737C780988194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:45.461{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FBEBBC078336A1718EC8913C14092D,SHA256=F26351DC6602F85734CBEF9ADA5472ECB6D9A16262C5660FC3C423DE7430EF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:46.348{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6DCA99EFB6D82AFF918684B8E72E35,SHA256=32EBC95F710A04A926B00A735C3FD8D0F8C9A8596A01534B4AE2EDC2DB392449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:46.513{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A95E93542F56A7BB71EAC8AA638582,SHA256=3F722CFDF3F3C2F6A4801DF8B17600D96D3D76CAE9152786AD48EEDDF55A69FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:44.564{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64610-false10.0.1.12-8000- 23542300x800000000000000049702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:47.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4E3332E2F4136D0A41C7A1CCACD587,SHA256=486BF963F05EEF0A3B86EF6466218068B4D0319DD3383CF14F3447D501538886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:47.363{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB92329765C2C4FE9C4506EE02B0511A,SHA256=B71961905B43D38685D641FDBE88AF65BE22158D671705EACD2C08A49401EC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:48.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F9A4E52E8C10E8B99301EB56ECB2F4,SHA256=A306B1696849B80D085D723BC6917014A71066E26225E195ABC2A97BB971FD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:48.379{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF9709D83F9181EA3C947879C10C42A,SHA256=C6E3EBD6E44C2D96577E3DDA4BAB1E316D28571E211C18F2420AE38CF5AB6254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:49.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609487A7490514E4F6AACAAF63879221,SHA256=567173A0D4D20C24182D297CA221C93F44C36C939E05ADF5415B4627FF3DF200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:49.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC60D479BFA6755C5ED37337A34706C4,SHA256=795B0E3B94E97860B4CDB140DC92ACBF36F98E2EDC0BC0104FDB4A93B9DCC9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:50.397{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CE40C7907DD9A8ED2774403D1BF73D,SHA256=61623824CB0CEEB58A47665B730E664CDC002A6825062EAF9D593C312E12DB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:50.598{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB25BD962963635A2A501081FC53BF1,SHA256=9A85F4BCCC391BADDF52CA156FCDEBBF261B304873BB684037A41EE8BC3173A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:51.628{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496E1D4699EDAEF365FD6F3E7C497816,SHA256=9D06055525853854E111D3375BB957F47662DF295B0193AEC863B4C712409F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:51.413{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38B7B557AE8C30B5D714B7156D54266,SHA256=583EE5FE25AFB9912897D0D6AFE6418332DBF6AB2C733FDD2435F123CFDAAE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:49.694{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64611-false10.0.1.12-8000- 23542300x800000000000000049708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:52.659{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010185FD7B1C73C523AE7FF6A7802475,SHA256=E55C5F83404C8B9A81B3B8767C25DBEC270E4017CEFC893C6D92CA06EB9A2E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:52.429{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6BA7D0129F7FF7B36217C563B02354,SHA256=28D7C322A62F5ED25C9A0D1AFACD4F4B938F37B92C248102A533DD1E18DA13A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:49.773{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:53.677{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B873BCD3DA5C7DFAA3C8F9B8ECA83967,SHA256=DB574AB93BA09525E158F122F903BA6C00AB9494009B1929689C1623217E9006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:53.444{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1D6D4DF1F77A8289C8834D31C906DD,SHA256=910EB5E31D44B3E03364BFBBCB248481037FEB9CD238457CFD169D43586C341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:54.745{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FCB5CE6C6F23FB6E8CDA336BB44A11,SHA256=2C6FBB87CA5710166D0A75BA5CCC4E39C7B77E17B4BF7E7E074F4568E8782811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:54.491{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D36108C01DEDBD5A12EA0B7A1DEC8F,SHA256=84D2BC80CB5D93C74AC7A289944E39FBD653E1CA46F18304FB47C583C038815E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:55.507{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC06DD47986C3C7B1B6FCB1E60BCAB3,SHA256=32AB6F08CC1F4D0EACBD9D1E5ED6AA2A5915DB2241F9C88AF01B593216B3E9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.745{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D1A513A38375F1AE45BCA02B72956A,SHA256=F83793BBC5F5B2A604FCD20D3075D1C2AC8112C9B86744DC13EF2D434373B661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1B-6112-9C08-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D1B-6112-9C08-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.360{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1B-6112-9C08-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.361{82A15F94-5D1B-6112-9C08-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.745{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9761C24A5D17EE1581A211E888D24B,SHA256=6A799E6948894D3193FF89D2C71949648F886535AD8FE2B8460254E17EAF535E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:56.522{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039354AD03C3A11BA0DE7CAFAFD987F,SHA256=6FE1C3CF4DC39F0AC1F04CA8F5075478F6A6B30817230E48C575281F1FD43AE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1C-6112-9E08-00000000E501}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D1C-6112-9E08-00000000E501}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.714{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1C-6112-9E08-00000000E501}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.715{82A15F94-5D1C-6112-9E08-00000000E501}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.361{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315FD5871797ED232994D5EDB23CE238,SHA256=DB137BE8A0A958E51867C85DC07D6C657B234F45E60E5A809060E1699E538BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.361{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A09C14EDEC40FDAAE3C88DD43B1ADF,SHA256=2F52DAF5D922419CF4B6538BACF216A96AC1F272810D0D23B44867803D799D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.230{82A15F94-5D1C-6112-9D08-00000000E501}22283476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1C-6112-9D08-00000000E501}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D1C-6112-9D08-00000000E501}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.045{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1C-6112-9D08-00000000E501}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:56.046{82A15F94-5D1C-6112-9D08-00000000E501}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1D-6112-A008-00000000E501}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D1D-6112-A008-00000000E501}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.917{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1D-6112-A008-00000000E501}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.918{82A15F94-5D1D-6112-A008-00000000E501}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.771{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145BFCB29B0095E989373AB198FFE62E,SHA256=650E8072122FE6797A494D9C1FF3424ED17C4B3803A61B408DA5BC6651892B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:57.585{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10F8A3AB49CF1431C2F28B9B8E91EA5,SHA256=1DD7C2CC4ACD404A0282AB58B70D61263D574D40ECCC57E5CEC784DA84569D04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.729{82A15F94-5D1D-6112-9F08-00000000E501}59882824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.722{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315FD5871797ED232994D5EDB23CE238,SHA256=DB137BE8A0A958E51867C85DC07D6C657B234F45E60E5A809060E1699E538BD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1D-6112-9F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D1D-6112-9F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.429{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1D-6112-9F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:57.430{82A15F94-5D1D-6112-9F08-00000000E501}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:54.867{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.936{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E1A2268146312A5BB84DD4EF587A56E,SHA256=5C42B327E0D4621694EE0908B56E37E9699EE94931B28062CF5CE8E25DB57F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.801{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE971ECC3D2D71456D895E72D1EC2F98,SHA256=8A218B9184C01BD44E0C77C06AD30BEF83F9EA445DE728B1D88355A0C6D1987A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:58.632{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DB1C1B221FC21BFFA6792AE529BD38,SHA256=2855181B7E735FA2CCDC98066587122A13DFD9C5AED29BBA3C7DBAE0ADD59A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.754{82A15F94-5D1E-6112-A108-00000000E501}70845828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1E-6112-A108-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D1E-6112-A108-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.602{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1E-6112-A108-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.603{82A15F94-5D1E-6112-A108-00000000E501}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:55.664{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64612-false10.0.1.12-8000- 10341000x800000000000000049760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:58.102{82A15F94-5D1D-6112-A008-00000000E501}53442252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:59.633{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B85213DB63AFE774B2D3425C48C0D15,SHA256=05F9C22DE046F786F448FCCD7DF6F842D024A9A978454548CA1D9A027A4A09F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.802{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B653E2D8015E13B3A933946E4B69E4,SHA256=CD78541BDBE73711A76F5C37F05F43D52C138586F113FAAD463ADDDC34D09C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D1F-6112-A208-00000000E501}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D1F-6112-A208-00000000E501}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.270{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D1F-6112-A208-00000000E501}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:03:59.271{82A15F94-5D1F-6112-A208-00000000E501}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:00.646{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A3F951EC033B33B2006DFB2A63886B,SHA256=A0087E0FFEEF8BA0DF6A913D19B026B55B84CF40DFEF7249D5F59C4FA14879DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:00.836{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA1C9FB8D12AF93529F18B08EF3E778,SHA256=3CF042A21B544CE70D139AE8B703010A40D348861E567AC9C72505744B12E32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:00.286{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD39ED12C0D4ED3D400B9962E85706FA,SHA256=C6928DE9ADD185E42EF1B8C921A50E06CC64A4FA5859F12A7FCA293782841019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:01.854{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E592107074D7328252C15FCA7CEB5AE6,SHA256=20A2FC9A88B37957A973486D0FF8DE666ED9618FAFC731043D9E0B247F4353C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:01.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A89155683DC81820B7177D1215510,SHA256=1B520B6B3C8E87934F76DAAE3D31BF2D2432D1EFF4161E9DA07A4A232BC1E514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:02.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6DF181500EE317C92C47583F7909D6,SHA256=DB1983B409DB6410E2603681672A5E545A349E8CA8D5E3962DE02670007CCD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:02.664{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF554011D9FC14F70B44180AA16DCAEA,SHA256=DB11855B9C96AF1CE8880610C1995A78139C0F0300402EE8FE57F1974AE053EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:02.216{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB917B553CBEC9358621B8651F50AC74,SHA256=F559F3FF4F0736D6C39EECE18758163FD7363353ABDC270F8C654DD962FDAC3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:03:59.991{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:03.884{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375FD13CAD5ED5249DC74A2AC67355A0,SHA256=64387CCCDDB5F787283B9D054DB8FFB0736749EFED6DDB87BA738415AED1D57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:03.711{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E561B757AA649D5E703B647F7B1B43A1,SHA256=C891ABA43B06FB13691FF6F35EA0E9C687A8A55A0D22DBD5929F71C6F597AE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:04.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66740DCAFA770EB61F584F6730E67864,SHA256=2C970F8C337CA57647CF90EF44279198B2FEAFEEA16F13A7407CB83F51444AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:04.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882CE7205E70E6FD20F1651BBD45FF5,SHA256=627604A6B1775D886E98E1A23329A44518315C6DFB932E0FA022917625B6A14E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:01.603{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64613-false10.0.1.12-8000- 23542300x800000000000000035760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:04.242{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:05.933{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFDA4A0DEFD03D9B0DC1EB58BD2B869,SHA256=C608BC035C93C08CA07E99DAC2A13196A067532251856D40952AED0DBB30C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:05.773{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A585F3F040CDE16962927A5126425,SHA256=7C657B58693E3FE4BCD86D7CAF2F1B597E82C87E02A7CF50E58DA28A95C33283,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:03.993{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51705-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000049791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:06.951{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A14991DF80AF5624035128A8A7600D4,SHA256=8FBE6F20A0634D90D37778113737E9B06403B7CFC259E736B459959CEBF77BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:06.820{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4D9BEBB4CDD8B713C0A1FF4B85426E,SHA256=405787CDFCA090ED86CD546C5420DDFA1FA4C7250945C9CC03EF7684359E8368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:07.966{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFB0D04B71834B3F58FF4A9FCE09C60,SHA256=002792DD40B4750AC6761AA738E7EA474B402AD4BF85F6F393584E842A696747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:07.898{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D90A84A0AF0CA6FB7801B325DC1317B,SHA256=887D2B081C8ED8A99914C2A24B6261DAF6C80069BF3BFCF1CC82D59EB2066422,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:05.899{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51706-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:08.980{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA359B5CBDC721A2B77CA91FCEA4A724,SHA256=BD89AB93476606CE77B5EB41E25497958B8F8F04F05851E8B10239B05E769A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:08.930{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F38DA404DC0BED16DED7BDE306B3CCE,SHA256=FE9E90966A33811580708F6BE5401D0B43171B321D275B3FB6E819D2BA3D0155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:09.934{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A78590F95DBB911AEEED98D04EF9A4E,SHA256=3DD8942332BD34FCB15B5D9AD3FBE76EA9769C96C3D1E2197D0C18DADE88DAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:09.995{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3D58A26C4E4ACEECB05BEA94CA2D1F,SHA256=5B9CF31696ED79206E5B69644DE299945356393ECAD2B7EC9AFAD69B54DF39A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:07.600{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64614-false10.0.1.12-8000- 23542300x800000000000000035769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:10.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CC24FC742E3DE20F0A380058CCDA3E,SHA256=E9871FA8A7CB0BD0D6ED9C49D200108681D5E3C3B5F0ECB91C99DF99E91B1C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:10.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D8BC6492B79049E595A59320B09DE3,SHA256=9A9E3C20856E68E378B5CFAB4AC6004B7CA2BDFEBDC45E7CC7FECDFE8E871751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:12.013{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F051976C37CFA840E652C05AB73730D1,SHA256=62288C69A85C3331B672BAA38418CA337F065E6F421182337D723CB45A30089D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:12.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C824D93755B52050E1552C942881DDC,SHA256=3230C09DECA628025C1DB3DF627344B7441333B85F22E8CBFE0A13E19ADD2F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:13.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA8A6CB8F515E65430BF950C15527D,SHA256=709B26B8CC8C523E2827DA026AA7D790A317DCA15BA8EBE5DF0BF969E5A81E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:11.856{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51707-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D2D-6112-0C07-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D2D-6112-0C07-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D2D-6112-0C07-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.684{82855F7C-5D2D-6112-0C07-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:13.059{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2557259C1A55618D18A2D0BEC754CD7,SHA256=A83F99C84362ACB62DBF45E2081662A449364C36E13C91AD9668D09E29751724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:14.081{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C7D90BD3AFFE6A9EDA0EA22FA5FD48,SHA256=7699663AB367024B11262243DD650954AE51123E11EB118E603FBC2E7BF21423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.918{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6EDDFCBA05B0CD373388ECDECFD1DC32,SHA256=5FFF8891F42E3AC9FB250207AA52E90F9BE7236FF0D23829DA37B0D3F1571085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D2E-6112-0E07-00000000E601}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D2E-6112-0E07-00000000E601}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D2E-6112-0E07-00000000E601}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.809{82855F7C-5D2E-6112-0E07-00000000E601}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4ABD970968C93BD8F247EA371F58C99,SHA256=49136C6D8CA2A3FA45DB68EB0039AABE2BD62511BE75CE5C010A623EC1CAFB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.699{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27E5B93CBF1894F34106B350E8758A6,SHA256=8B53D259737A9D47FF6D7F244F128ED1DE153EE3CD45CB9986ABB649635342A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.527{82855F7C-5D2E-6112-0D07-00000000E601}28121952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D2E-6112-0D07-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D2E-6112-0D07-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.309{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D2E-6112-0D07-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.310{82855F7C-5D2E-6112-0D07-00000000E601}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.262{82855F7C-3680-6112-0B00-00000000E601}6122600C:\Windows\system32\lsass.exe{82855F7C-367E-6112-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000035786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99028A8592E4F9BD5383DE36046F77B2,SHA256=42776077032AA2F1591B39C47EB4B7FCD674EB28B9434080BCFF15F0EDE53F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D2F-6112-0F07-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D2F-6112-0F07-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D2F-6112-0F07-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.935{82855F7C-5D2F-6112-0F07-00000000E601}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:14.032{82855F7C-367E-6112-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51708-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000035818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:15.152{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C339A7CC48EF1E65DDEDEF2867D3D3AC,SHA256=06B4A852DCD3BA0F03769C29484E62CF2507E24FB83A35D7535A8D3F3D36A524,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:13.700{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51708-false10.0.1.14win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000049803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:12.647{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64615-false10.0.1.12-8000- 23542300x800000000000000049802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:15.281{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF58860D4495A485AEBBDDEF8AC0BB4,SHA256=C5B47EC013DF72921E65AA70F04940A89B3F012CF0C05F8CC9EB32F01481FF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:15.281{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30392DC7CE08494ABE52D20224FD17EA,SHA256=93B54A04DBC659C2F58FCC4AC911EDBE014F0A1D51507C28B74ACDAFC6970E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:15.096{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9730DA017F4E6008B579D9B413E41F2,SHA256=186F033A01283BE53D01EC736383BAC1AE5BF6647F6E8451146BB08D0C7CBDB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.732{82855F7C-5D30-6112-1007-00000000E601}1082832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D30-6112-1007-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D30-6112-1007-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D30-6112-1007-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.607{82855F7C-5D30-6112-1007-00000000E601}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.169{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2D97A7E2E8C3234AEA07788663AA38,SHA256=629AC8DE3C0C27AD0982A6CA2C06DF19ECE99F245DA78E7D16621DF1DAB2ABDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:16.311{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000049806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:16.311{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=77231468903377D9AE43D1DA5E3FF051,SHA256=C1D4DB57C149AA628855727855C39C16CCAE964DC25212B32BB27C3EEEA2E2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:16.111{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A893C33F79B25E5E516562B22E62ECF9,SHA256=72364ADB77396A7F68733B3DCD230B5F0744D365D7107CE02A656F85CE7BEADC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.075{82855F7C-5D2F-6112-0F07-00000000E601}25683776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000035833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:16.044{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4ABD970968C93BD8F247EA371F58C99,SHA256=49136C6D8CA2A3FA45DB68EB0039AABE2BD62511BE75CE5C010A623EC1CAFB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:17.132{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4D9C9C0E10DC066949996CD2673AA1,SHA256=267E803452681527F6C1A1F4E7FFDC9FCFC913856B213E7D86672A32F27938AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D31-6112-1207-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5D31-6112-1207-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.952{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D31-6112-1207-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.953{82855F7C-5D31-6112-1207-00000000E601}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.638{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26BD5EC0A876AE78C43626522F7319E7,SHA256=71C0AE82BA7A78ECE4B7A690B9441FC772C46B074D2F5CC340507C660B4531F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.450{82855F7C-5D31-6112-1107-00000000E601}40881048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D31-6112-1107-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5D31-6112-1107-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D31-6112-1107-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.279{82855F7C-5D31-6112-1107-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.232{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F066901DEB1A72DEC407CE925D211F,SHA256=DC17F61CFFC5D569A3FFA93342A2CE09346F92298B70EDC1BD99A1D292518592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:18.695{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:18.648{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000049812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:18.648{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000049811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:04:18.648{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.70.187907669C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000049810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:04:18.648{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.70.187907669C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000049809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:18.148{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628C075FCACCFD288580E6311A8B5BCC,SHA256=BCCA5B7A64EDA9205DB00F65E00D78F9E2F764F8037C20BDBF68102131E2C35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:18.982{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CCCE9A3844DAAA33D69F1F52841A84C,SHA256=EAF1F176480D652AE9C0895620A3BEA1C84C8F85387FD8E46E741159FF000C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:18.279{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8475BCE19E992CC266C4DB5C391899EA,SHA256=AD749E9F51015245DAA0B884E87023B0D31B1550596EB79378A1BED96E1F2E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:19.163{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348AB14398CA3B04F4EBDDC0775FF8B4,SHA256=E9CCC91876492AD5F9BC1FA347612F68414121B54F0DD142BC71095085A2E6C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:17.873{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51709-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:19.294{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D1E8AD860DAC799E05B26DAF6DA5F1,SHA256=E6EE7E36D0C9595FB72278AF0EE405F676B91B210E185AB436EAC3FE736AB75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:20.325{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93202CF13825C04B5BE93B83C39D9778,SHA256=595DD6A86727F0ADDC4D2D3E549F3DEA0329209EB2435FA28D6C92541EEAE421,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:18.581{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64616-false10.0.1.12-8000- 23542300x800000000000000049816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:20.209{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74454731D07FF4160BFAB9E3FDF52B9,SHA256=EBA1053B43961542DB3E17919F642E729808D39200D3CCE1FE8350CB5483117E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:21.419{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBD7A14860E083DD3CB78FC1EA6DB03,SHA256=4687C775CE364FDE53FD5E3B3454D75909E317D790088BBA04538AB98247871D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.862{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:21.231{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333D511C210B1B0543BEA47517056262,SHA256=7D4F11023EF4272E32BB3A7A9E8722080F06069F8532C88271E5DAFBD0D0BDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:22.482{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666764A8589ED0DAD32426B6B7710F8B,SHA256=BECB7FE2FDAD43D0A41D691C150E95E26AAD29762B450FBDCACA469B08EC160A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:22.409{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB56B03238C969B4103F80F846AB156,SHA256=42739D86058676AA07E673EDC89D9A0FEBD5C780D80478B203AAF2869E021A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:23.591{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224AC53848F32833E07CC8F6B76BFC00,SHA256=0AA3E997C213433AC6439A4B1D41A45A1F09299A1A3C4FE9BE32D5617A5EA240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:23.413{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD66E0BF3AB22CEA8E815A180F3D339,SHA256=712AFE0B98A16C12F2CEFD93337DA09586069306D86B71DB560B4FD83CF22C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:24.414{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DD1BB5901B1721ED4AEB038C70510F,SHA256=B1718D46A61BEA76FE0C6A6C848CE32490764E9AEC606DDC2AE49A563E368907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:24.622{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C604E32AD97C6E18F284C7206D4871,SHA256=7EC048CC8482C51189D41FD4A78D7AFBA6D13451144DD7BF0139E608E5C4C8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:25.654{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74492E1AE417E7828D72C59CEB943CD2,SHA256=5EC0CE718FE256E3355199395C62377E608BEC62373880370FD111C6E6060314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:25.436{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FBBF72CA46E695C182BE00E4D93DA3,SHA256=0F184238020E831632C598CC12F8DFE1631F9774EA3B36B401E635C844308BCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:22.982{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:26.685{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30589571EB12FA4E2BA42FEC5FD47DDF,SHA256=AB125C0FDAAE147A3415AB19682812ED828A8FE2DCF3A2E8E6613ACF6334F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:26.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB99D7D6C1664BAE7B52D5C61584E309,SHA256=BC62607DAD45718C732A5043EE606AB57787D002AF9ECB3A9C3FC20E1ADB7BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:26.052{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F479EB67A320371B3DBB3CD7D003030A,SHA256=168CF13549B471097E6E291E663299FD26537FFCE6F79AEB5B8280BBC6C16627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:26.052{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF58860D4495A485AEBBDDEF8AC0BB4,SHA256=C5B47EC013DF72921E65AA70F04940A89B3F012CF0C05F8CC9EB32F01481FF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:27.700{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E3FBE96BB1B7BF4A27CC87D4EDE18B,SHA256=6CF13D52F5674D2B915A1A6FCF66C44A32273A316EB491292E192D944CFD8D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:24.501{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64617-false10.0.1.12-8000- 23542300x800000000000000049859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:27.451{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9C1730FA1AF9CA3D83D4704AA439AD,SHA256=872850AB75E305209A325B43F1420541B2AD3E51F8DDD04F01DA24A2B71A944C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:28.866{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=63B75F22187AA35C1B804D71C44CC30A,SHA256=1705ADBBB507CC09656A6EC7738C410F65025D26F90B68CFFE409809EAB58F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:28.466{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427272A5E05F9F868CD64C2BF71EB651,SHA256=723F49E933FFEF6C0526E6A0E3F355073FB2826B43D40213353DF3841F6D3E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:28.716{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4812F654348EF1BB0E0A4423E9164C,SHA256=9F6C7960B966052F82605D3524DDDB312BC45A6CF61B5A43A9A485F6D89183AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000049873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009eef03) 13241300x800000000000000049871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0x1b8d67f6) 13241300x800000000000000049870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0x7d51cff6) 13241300x800000000000000049869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0xdf1637f6) 13241300x800000000000000049868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009eef03) 13241300x800000000000000049866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0x1b8d67f6) 13241300x800000000000000049865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0x7d51cff6) 13241300x800000000000000049864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:04:29.712{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78ddf-0xdf1637f6) 23542300x800000000000000049863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:29.481{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C32DC9A70DDA698BE6990682CD6D41D,SHA256=3F465AC7A5651FFB1D727E40CEDDF0A7A631473681AB279BB65C9967C6C7F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:29.728{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BF5AC055B823EC017AF0903CA97E6C,SHA256=B1731957C0807A91DEAD538B2FEE34265BAF83247D14D41FCC6CEE9C4A90CD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:30.728{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344F191B1CE9CFCEC1E8E203BFA061B2,SHA256=08B7B865C2B8070128B1F88A8EA0623B4C9B9389C8D8DB5FEA66E2C82BD33E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:30.695{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:30.511{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90805C82C82DFFA038F130FC2B987958,SHA256=541615D2786F9779818C00A8F5A25AAA82ECF2835E03F3F17E36B5653481F5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:31.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F5909F9F964886EF1230208098B0FC,SHA256=F8D5410BC62AF4041CE1369C9943BD80BD8BE20ADAC9550A8CB38BF19676BC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:29.683{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64618-false10.0.1.12-8000- 23542300x800000000000000049876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:31.530{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CEE23C589F687DB4C1E994CAA6A180,SHA256=401D28113676B36BD828512DB2C10FD8F38F9ABA6FCD0A20BA44FF38048BF374,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:28.857{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51711-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:32.775{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5151DEFF7CB7E10263B10ABB63DEA972,SHA256=E5301E46F3769C6C855188FEACFC2EB81132F827B54D0F5227DAE7D2F192168F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:32.547{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FE6966AFEED763D8DA7F62B3A4A94E,SHA256=625DCF2530A8F5EECAA57D6D3EAD75708EF1380C8A0F039CF69099FF69E87176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:33.790{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3AD163DBEB215EC8FAAD38BFBB2DD9,SHA256=31EFCBE0D5A26823C1AD39B5BB1B8A6FEE63E62A241423314E6F692CDE7FC985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:33.946{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:33.562{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB29AB32112AA68F0DDAF75A6BA90E30,SHA256=B2D0E71D0AA85EFEDC744395304A08AC2CCB21F135D56C120B66E655335463CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:33.147{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C68D9C292860B799BEE6308EB32981AC,SHA256=360D5899451AE180B57DFE488EDBC1ACCE6F72675A05F97F3EB6A6C0E0C2EF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:33.147{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F479EB67A320371B3DBB3CD7D003030A,SHA256=168CF13549B471097E6E291E663299FD26537FFCE6F79AEB5B8280BBC6C16627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:34.806{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF17DDBA74CA893DA19808219D291DB,SHA256=131AF959C07A799FB5D7CCD016E38C2033D8A01276A89F1082B00268DE495EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:31.544{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64619-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000049884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:31.544{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64619-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000049883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:34.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810BA6301C68B9F61A2307BCEAA1DEB2,SHA256=D75E58A1AF8CDC68B559465B48781C0E79D5C7F93C1F181DBF470592680065A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:35.822{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F20828D76E8C802AA2493EEEFD0958F,SHA256=8FB237DBDAAAAD652B3B8033522F43239343FEE07588939E94846ADAD40FBC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:35.608{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1993F62710C8D738DAEFBF2010CCA58D,SHA256=CEDC49B17FE2491A524A7E4E98B791FF07B35E93A1B05B74C57DC454387D9BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:33.994{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:33.359{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64620-false10.0.1.12-8089- 23542300x800000000000000049887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:36.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277984E4302B08ABB7DB3D49CEDCA71D,SHA256=2CA2B0EF8B44399E6DB0F96B4A92CC0D35A5F306384289228D986DC52421D44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:36.837{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A58F162DC180576632F394D2A52D12,SHA256=293F865903622B1EBAECB27A6B090FCC0108D803A4196B87B0A9E6B2CCE8BC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:37.884{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A9DD255BFABCFB602E0F5060FF6976,SHA256=9179638800A5EC9721FC5B5110F51C7F4FD051FA42A47FC9349AC53F38A1A88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:37.744{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=BF7675E7B27B93ABE1F9A1F355515BF1,SHA256=F7DE725E99C0D3B937052CC728C3B45028CB23F7AF7B218488E9E227DC0E5B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:37.644{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E03C410C61B844A91FF667C2D32E764,SHA256=386BBBB7C837940D12A22ACAEF8E810D1BA3E42766F77D5A4CA8A62BA360B69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:38.900{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6529B32CC490881F6C6C8FF64C51D1,SHA256=9634FFE2FB4B9DCACC5D8C783D31A799222F2B6296A97FC820D30368B56A2331,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:35.610{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64621-false10.0.1.12-8000- 23542300x800000000000000049891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:38.650{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FFDF65C7F5B75C8AB4088FE4937890,SHA256=618955A743CAE01A9B474323DD8F9701E554B685361EEEAAF92288AAEEE03523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:39.947{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69278625A7E2DB3B7B018FB4D04D4921,SHA256=A4F1869DDB2EBFF9995B74AB79F07265D4B80C5147643F61F3241F4B24FEA689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:39.665{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C10856634D7E1D46E109290C59BF98A,SHA256=AA51E4E13998415A5DBCA79620F6321AE64DBA72E1E87FCA4371249E3B05E83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:40.962{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0310E8C59007AE3D5FDFF18758D9875,SHA256=90706391E966C40EF5BD688ADFAD28A369DFE40C61E5D4983C39C75F1348EA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:40.680{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3DC859441F745B1713E03E51D9D7C1,SHA256=F5FFCA1A7527763427FAA43AC59B79B698D7A90A4AC1D3EC3F6EF8E33FA93475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:41.680{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A7052F9FE26E6DD28C4D634AA03B18,SHA256=8B416F001C7700A85AB1097BA4386B96C6AC619054174F0196BAC9BEA9CBCC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:41.978{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0066AE5B79CCA90FF4D0AB18B984E7F,SHA256=F919E399035FAA80AEA3D7F01A1780B1A5EE17C0735ED05216A56E7E0AC710BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:39.853{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51713-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:42.695{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45BA1C3EB06413E1CAE2105DC3B5A99,SHA256=1687CCA6B682ABF6850B45FDD02FF3294019A411C14F3B4C7601EFA701BE0A0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:41.545{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64622-false10.0.1.12-8000- 23542300x800000000000000049897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:43.711{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DBD17CFA3423C4C6E26D7FC84069B4,SHA256=FB3BDEE0930DF366F48A26F44BD0C03434D8007802BC1536CEF1755CCF36CDD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:43.009{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A8A1F548C2DCA4F67C7E2592C0C9A2,SHA256=CEF40678CE58DC45DF16B28B26F953B4241AAEA19DD2706A9211A84742CA0900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:44.778{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103660F5456EC9E97B59C34C2A34FA0D,SHA256=B44B779F689E123EC93D3A85CB245F7655E403F6002320E7D5AB15AA3D500EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:44.025{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E7A31AF4C2A2ACBCE6C333EB4099C6,SHA256=5A507D9FE86C3592364F0960B40EF226F89E880774929670D72D4002FF87FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:45.793{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC16215F0EEE98C8A99C454F769372E,SHA256=D30C86D63EE941D1B7FAA2C27B2492AD2D23F28DB136A301B79D0F676753FA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:45.040{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B12E459A8F3C20B026F5B8455A5248,SHA256=58BCFD2DF63F47D5DFA592E980DD9D03BD1507CA928DEBE29593FCBF19B5DD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:46.808{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9D342A01F15C34985F9FF6FC5DD97B,SHA256=E463AACF9505D525CDF95B58D42838C46E973139D8FCB72C2DD534B61442049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:46.056{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9939F6CBD91E74BCF57F17F152D5354,SHA256=2707B4A4C6555CA3E97634158C572F6C466A0909E2AE8B6BAD9E2510999D1176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:47.825{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98E4B67C407A1A069FDF6E5D840D621,SHA256=0A9A4D019E48027F69AA337F3D675F8AF1FEF2F2CEC353F270B26814E0DBE086,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:45.869{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51714-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:47.072{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E2E086990042841F0AE179E85B01A9,SHA256=9162A07A9BC2295BEFBBA16BCE3990FFBF5BF9E81A6D299E3F94918B90A46282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:48.844{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E2B5BB25C56BB1BD28EF2709CEFB31,SHA256=4045E72CC3FFFB5F89B2A8CB796E6E5E5F4BFEF469AF083475C50C030D7E217C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:48.087{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF9CB3019459DB702CB1053AF95BB39,SHA256=42326FF8FF1DCA2D210C07F83F6936C6955A30FF5AE700EEE117271FA95EA7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:47.494{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64623-false10.0.1.12-8000- 23542300x800000000000000049904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:49.862{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A495E569571FB6E79A64BA1E31E3309,SHA256=3664DCC0C4C2BDA19B052190217D1B85EA9012B0289995633E0C95DFB1421D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:49.103{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E809B7953EAD466B774A4DA35ECE819,SHA256=D5C2CE0C75196A843B12A90E3FDBD42E7176CBDF6AB620A8D920CCF4F006C3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:50.876{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662B6AAD69455D9BABF68672F8C70C2E,SHA256=726373D7AA8C43546F30547085115B206586C1502CBBA706B7184344FBA8DC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:50.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E0E81C5BDE3216A68A1D7C6BA15153,SHA256=C6261E0E2A9603C2A190071D243E220A4B0AEE07195C318CC1C43EA2EFD54EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:50.246{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RF9f3f36.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:51.893{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86104D7B58F781722B439FBE54B26C2E,SHA256=11D6D678EFE4AF6BE4D9012B3C57AC421BE8C8F4490FDC3B283923DBB3B89B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:51.121{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1616F36816AD33E750E735AB9BCAC610,SHA256=A8D4C92CC0C3E8F96F24D18D3A25A85294BB0CFA847CD04FD6D0A2D5853DA0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:52.908{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74005935AE444F1C3EED3A7629620CE5,SHA256=8726DB47117304ABD49DBA5468927C9F12BF6AEF629717F0B7A5C3AF68E55FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:50.949{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:52.136{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EEBE138024D49A0238A4A2640B8641,SHA256=30E00E6B1548500F5FB2032D860ADF9B748AE4B95D02CF43BB3CCF8127F73254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:53.925{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689EBDC6C7078306F19EFEC868547809,SHA256=9BEC855A65C32DE3ACD3AB9AA2A9DEAC94FB198B5BCB7ABF40838C964F73711B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:53.136{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1327FA3FD403764D46339122BA809ED,SHA256=966DF9871C9C7BB1179D2375F0F9655CF54F089CF36BECB8D17774E6D25F491D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:54.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8F2044F943DE1F4969878BCF8C29E2,SHA256=147324F05352C0BF7D154B367AFDBB9868FA12866A63644481ADC0B98AB74F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:54.152{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701DEFFC47CE58C8DC0340A62239F5E7,SHA256=04DDEA9330379E27E13A01C971E1B6FA4EC32FEDB9BAF33E876EAA42A3D92C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.946{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA630B695C870B19726F826E67CB904B,SHA256=A6C36FDBE11BE6F372EDAA98D60FF5793093C52F24B965C52F2EA3E837BBAEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:55.168{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B8D5A0B3513AFDE72DD1EFEAD44D5C,SHA256=A8CD5E2A6FAE8B1FE5221CB76CEC0A02EE2F80954FCFEB0A60C57CF7C3F73B82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D57-6112-A308-00000000E501}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D57-6112-A308-00000000E501}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.362{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D57-6112-A308-00000000E501}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:55.363{82A15F94-5D57-6112-A308-00000000E501}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.962{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3CD0456404F32DC67DA11C89DADCD3,SHA256=85CF6FD967FB37A1C17EE1B61DC3F98148AA1B776BC71E14AE676EE3A5BBA1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:56.183{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFA7C1783A8D32C7B04FD85CAF46C59,SHA256=5D8B904EFCEF28671425C872441B2A220742B6B1CD94AF16A3B7907D147F127D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.730{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D58-6112-A508-00000000E501}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.728{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.728{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.727{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.727{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.727{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D58-6112-A508-00000000E501}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.726{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D58-6112-A508-00000000E501}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.725{82A15F94-5D58-6112-A508-00000000E501}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.362{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E670113ACEBEBF4CB90D62DAE9F3D4E4,SHA256=C823C5A1ADEB2CEC81B57577946863F0A881FEB99B8A15980E0A0060681F5631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.362{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C68D9C292860B799BEE6308EB32981AC,SHA256=360D5899451AE180B57DFE488EDBC1ACCE6F72675A05F97F3EB6A6C0E0C2EF84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.209{82A15F94-5D58-6112-A408-00000000E501}47045636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D58-6112-A408-00000000E501}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D58-6112-A408-00000000E501}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.046{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D58-6112-A408-00000000E501}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:56.047{82A15F94-5D58-6112-A408-00000000E501}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:57.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9961FE4195DD0D867A2C3EBC023286F,SHA256=51D32807244FD4FD6239DE25C351E4484EC9A8A09B195ED4A743D6027CCB8911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E670113ACEBEBF4CB90D62DAE9F3D4E4,SHA256=C823C5A1ADEB2CEC81B57577946863F0A881FEB99B8A15980E0A0060681F5631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.608{82A15F94-5D59-6112-A608-00000000E501}29445808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.429{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D59-6112-A608-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.427{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.427{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.426{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.426{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.426{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D59-6112-A608-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.426{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D59-6112-A608-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:57.425{82A15F94-5D59-6112-A608-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:53.495{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64624-false10.0.1.12-8000- 10341000x800000000000000049970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.931{82A15F94-5D5A-6112-A808-00000000E501}4316440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D5A-6112-A808-00000000E501}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D5A-6112-A808-00000000E501}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.778{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D5A-6112-A808-00000000E501}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.779{82A15F94-5D5A-6112-A808-00000000E501}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.310{82A15F94-5D5A-6112-A708-00000000E501}22562240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.146{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43729A7E433E9FB0071AD3C7879E65C0,SHA256=C2398EA63E79128D1FB3B8B112D8EF5FE5199381A7108881A648440C19A6E2A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:56.027{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:58.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB17744D20D79ABD6BF899D9624E750,SHA256=8161E384A4274AC6DD024154F5202B650BD13A459186DCA33B348CDEED82E748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D5A-6112-A708-00000000E501}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D5A-6112-A708-00000000E501}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.109{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D5A-6112-A708-00000000E501}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:58.110{82A15F94-5D5A-6112-A708-00000000E501}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000035929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:04:59.668{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd7-0x8f8e792a) 23542300x800000000000000035928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:04:59.215{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047F86B50FB3FF0937DC10F30DF9C6AF,SHA256=7F523BB9E146998D13859CA43AEF7A7422131D3D0D5A541A41A55A24FDF36530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D5B-6112-A908-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D5B-6112-A908-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.278{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D5B-6112-A908-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.279{82A15F94-5D5B-6112-A908-00000000E501}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.147{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DE052BCD27265161246BB7BF2F8B56,SHA256=9872E0CF4F40240CD6B223FFA13503507F6C6C9153436C59A86364A30C3DDD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.109{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731640C387FD951D349CBBBC70CFEAF0,SHA256=C98AB1AE0572EE849AE4AB1FB34F0C0FF6C20E12256380695EFEB4F1A1E84326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:00.230{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62E9E3C4EEC95386086E3AA6A0A4C57,SHA256=A5F3BA963B3898E627D6DC7A1E4CC04DB962108A74A201870B9A08DCE6448DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:00.293{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2102A531DD6C4B94B46C447D01D4B493,SHA256=2BF1D2476CF34FB5CA48306B6EFA29433175634594A11BEA280275C92DECFDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:00.162{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7BE9011D6651625459432C9C16487D,SHA256=C424B2C306D6DA2262218AA8002B08EA663B5A1ACD0E68D7A182BA22D1CAB382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:01.243{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43F966AEB50D43B03494A59F381C982,SHA256=B8B92E48164E6D66D0524751367CCE6BBC3DE694D30BD5856C37A498D8552762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:01.226{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C29821CD1FC76275E98166B1BA480EC,SHA256=D84B882017087703171E4EDF9854198F3256B50ABE7489ACFDAC9D0BF0102668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:02.247{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3694DCBAFAA6C2427E835A6BC16CC1C8,SHA256=BB6F73869C2C8616B5247873BDF3B8BC3931BDE1C8668A64D2303ED98E00AB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:02.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D393CE7DCD04D080C7513C90502EAD8,SHA256=B639B34645316F821FAB211C495DE8EBE7C2B83CEA3DC1ECAD5B913F37AB9A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:02.226{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8FF5DE23D937A7D2358B837F30F98E7E,SHA256=74027F5A314A5A977000C5CCA2A12F5479831169D7F9DE9047A0376A162FE979,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:04:59.496{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64625-false10.0.1.12-8000- 354300x800000000000000035934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:01.996{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:03.261{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5460C272C3619FEF92B59372A743AE6B,SHA256=8B23A4189829AA5474331C93BC6E32E570C176F1210BDC3B7C33D81C1463F68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:03.277{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA1B0F91ABBD6FF09795175409EEE54,SHA256=ECE53013A0696AE9856E243C32C31DBF9603653CA63CE2415A3C06F77E86BE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:04.277{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D36E659CBF57FF2954B8C91D1D985F,SHA256=D51758881D2826924BFC5925EA8C30508D6440B262F9F71E7EC9AAA94139E3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:04.293{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBCBC64132AD10D8A5B6AE67FD0C4C5,SHA256=BAD23765D2855E9344DF1375D4E7CEA29B03D280703D3D1D3917FE8CD7BE07DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:04.261{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:05.292{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB2656FA3027B7FE5D8A022C0962118,SHA256=B2167FDFEFFBC65341A7CEF7CC5C64DDEDE4550DB39FBC8751C1D788D7EB4AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:05.307{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C3E182A87399B084D56AA71CD30B88,SHA256=B16735F5C006E6DAABFF5BB98969521001229F0A081CE4AE508AB686D2CE8619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:06.325{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D0549EB79ADAB27B39CC12172344AA,SHA256=74D43C6E180480F90A3C3B02F14208138B38C41E9B228D84E023B65687B08538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:04.011{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:06.308{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B702C5FB2DB28A5DD949067518C972B,SHA256=F1969ABD8117DEB7C368BFF5BFF9348E29E5042B5BCC8CC36E574C7D04C95120,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:04.610{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64626-false10.0.1.12-8000- 23542300x800000000000000049991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:07.361{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C642795F0BAFB493FFBE359BDCEF9740,SHA256=987C7139C2D88C2E2322484E24DD5CF00991B35E9169C0EF085226D42EE706BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:07.324{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B711EE0C284749E19E839C09C6B92B9,SHA256=B7CAE41B03C70D9E61DD73A8E25CC101B855CFD1ADCB844842D8BDAE17D3FF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:08.339{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43D76E73667BC035DA1DA50B4990FEB,SHA256=2A35744B6270A041853736B79B654B9A50CB968AE313CF0E4ED5E09C36EF0D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:08.363{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CE977EAD4C9F17DFC68B9F6FE0E907,SHA256=5387015547A1E684D05C34C4CC7B41F9424E9179DFDB522ADB547A1FE0DC9D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:07.870{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:09.355{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5559D8F3189F7EA6FF296FA104C628B0,SHA256=32FFA13B2067AA0A1A0EA6E2B374C2B44D93100ADDB3BBA62140326CAB33B2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:09.378{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D18D632E3AA7A40540770080CCBF0E,SHA256=8D2F26537FCD8013ACAE532EE6B3596DEC616376796C20DCFA60DC0B5D88D963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:10.380{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6DD62E45E8DD63A66F2448C58CF10E,SHA256=89CA4B8C45903194486D398DAA973ACA5E6977A3369D55B2B55EBEC244B87F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:10.360{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9477A916A3EF43307B30294BCBDA2D7F,SHA256=10D815B1A1F26D6E518540820DC1AA49B328EC57467965EACD144736F58CD7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:11.392{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92862651BC57B825F6E8CFB3C56370D,SHA256=8E8E7845FE5FCF5995C1B708C3DB5E163FE692BBFD11497CBA9B0F5F6E357BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:11.376{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987C3783782628E4143D4B5B0A98821D,SHA256=DD9B8FE8C5AEDCB67D8C57907847D98C1B518BED27DE035228EA79D31056AD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:12.391{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ADFB74EE0007421CE28D81140E320E,SHA256=4FE34A92982587412502E847157ABBF1E92C5C353236BE05AB5285A8A5701B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:12.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE67B16E235DF3F77348F1054D04C6DF,SHA256=BFBBE663F24C50176F44AF407FB2051403D2216AD5A01BD38B50864D97A083A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.860{82855F7C-5D69-6112-1307-00000000E601}32401680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D69-6112-1307-00000000E601}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5D69-6112-1307-00000000E601}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.672{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D69-6112-1307-00000000E601}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.673{82855F7C-5D69-6112-1307-00000000E601}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:13.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63D1D1ECA214A19FB86DBD2623DF959,SHA256=DAC3DEE15720CDBB6CDAF7D46EB09A236FA2A3E58D5F46E5E35C38792AA9DB6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:10.495{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64627-false10.0.1.12-8000- 23542300x800000000000000049998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:13.425{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE8134D5AEE8164D197C2443DC033D,SHA256=8F6DE7C667F560B3551B6A889898D82A76D7B99529D7069FFAE51CF2551D7509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.922{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B459B30A90614C41BFDA31FEC4456661,SHA256=E67F393FA05959C3F1BD05B8479E6E9673274B224BFE481FF00F076352D3F3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D1E3A3E112F81C446BD72A3D5B9AEC,SHA256=CFCCEAC9DF76B6D3DFB3E59D0F339BA66DE404C4A5E865D4FF44B77EF9A11D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F6DEA443DC2445949A3C8E0B82E085,SHA256=C2724CB46C4565190BDF97F9E3B8D3CE97E49E00FC89C9D142FA873C07D5EEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213861BC0AC534CB8A2E5AE81B09BC4C,SHA256=566FF4125D3A54999A24A491E43BF06550F25483BBF34DBD6E2A27252F9EBA85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6A-6112-1507-00000000E601}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D6A-6112-1507-00000000E601}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.844{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6A-6112-1507-00000000E601}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.845{82855F7C-5D6A-6112-1507-00000000E601}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:12.954{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:14.445{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA9FA12659BC3170B9EFFA3319A144A,SHA256=69EFAC691369ECA8AF77DCDDE022897A1C84BB3790A301595CE108ED9679A321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6A-6112-1407-00000000E601}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D6A-6112-1407-00000000E601}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.344{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6A-6112-1407-00000000E601}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:14.345{82855F7C-5D6A-6112-1407-00000000E601}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6B-6112-1607-00000000E601}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5D6B-6112-1607-00000000E601}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000035997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.938{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6B-6112-1607-00000000E601}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000035995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.939{82855F7C-5D6B-6112-1607-00000000E601}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.844{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D1E3A3E112F81C446BD72A3D5B9AEC,SHA256=CFCCEAC9DF76B6D3DFB3E59D0F339BA66DE404C4A5E865D4FF44B77EF9A11D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:15.657{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C094415B06278101E6C8423AFD9104EC,SHA256=9B72DE3FA2E4393259B7F2C1540EAB895569B7B55E4B5D62E06BC059C6FFEE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:15.446{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7066D830F2B44FC76C962AFB238B358F,SHA256=59F2138E8EE6C55B9E79241B1AF133617A4ECBAE05C6F5741F313219ED8F6E14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.798{82855F7C-5D6C-6112-1707-00000000E601}1180856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:16.492{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400F41B8BB73BF2268F1F7C9EB588D97,SHA256=F0EB0025C8B3AD42CF523AA69CB926967FD1AE279919F19C279B87A0F2D13657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6C-6112-1707-00000000E601}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5D6C-6112-1707-00000000E601}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.610{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6C-6112-1707-00000000E601}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.611{82855F7C-5D6C-6112-1707-00000000E601}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:16.126{82855F7C-5D6B-6112-1607-00000000E601}11963032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.975{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.944{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.875{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.875{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.507{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E1D78CE58A0BA61B523854FAEC6355,SHA256=2ED7508B686A5A6963B93CD882A9CE7536096501B6940E4644744A0FCD462229,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.782{82855F7C-5D6D-6112-1907-00000000E601}36841500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6D-6112-1907-00000000E601}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5D6D-6112-1907-00000000E601}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.610{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6D-6112-1907-00000000E601}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.611{82855F7C-5D6D-6112-1907-00000000E601}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5D6D-6112-1807-00000000E601}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5D6D-6112-1807-00000000E601}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5D6D-6112-1807-00000000E601}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.112{82855F7C-5D6D-6112-1807-00000000E601}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2AF51149C2788703B84C8F843E4058,SHA256=30ECA39BEF008D03579CB06D144196F37965CAA3B9CF3E5F566F5C2B8D355F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.110{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE7A215FF924D95F16A1FCF478222E1,SHA256=F90FE44761C9D5D96FD43D5C29753A52071B701A2E255693AC4F3789FDFDE32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.191{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.144{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000050005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.144{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000050004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:05:17.144{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.71.160857794C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:05:17.144{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.71.160857794C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000050015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:15.661{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64628-false10.0.1.12-8000- 23542300x800000000000000050014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:18.526{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF5B77BDB667287F4D08481A5CC99DB,SHA256=B7E34DA496679FC8D9AFF2F1DC543597978936128018B504854BAB6009359E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:18.250{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DE1AF996B912FDB954E00B96D0F843,SHA256=6B1ABD29CB3A8D44BD68CB5946EBCBF806F33675B10A3988FCB42C41C028D232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:18.250{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CCFB0CB1F435F300B45797BE3464CF7,SHA256=D48E1BF3E14E0FF6D84E41ABAC2E94E3902F48961120B753941D6676A48F571B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:18.007{82A15F94-3D89-6112-C804-00000000E501}64605216C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:17.345{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64630-false192.229.233.50-443https 354300x800000000000000050017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:16.644{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64629-false104.244.42.193-443https 23542300x800000000000000050016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:19.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA0570314707FE9C5F29C7E0AEAC3C6,SHA256=E652A844CD4A2920EA64FC426D0545820A5A5741B8181FB12A773ACA719C8B1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:17.969{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:19.282{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A22BEBCE3B9D80E4C622A4021A8BBD,SHA256=494F43F5FAFBDA1DC5E285878E10CED09FEC50A380F2DF7D331B742D7611CE87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:20.574{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF426A9CCED63025702A6407DC87F99,SHA256=D92A0F0C44C7B92B7D00BFD934C2DF9A5A89A2406DA8CF47CCF5E77E0EDB6567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:20.344{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BEC67FCDC87C0D25EF757841BE19A2,SHA256=D081BFCC29A595BAC97DF052D2A65618DF848C5876715122B1F59260772EC00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:21.588{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E157E0B3F3483C45E156AA51931C8F4A,SHA256=507CDC55B51D9349BE14AD1277F61BDD6E0913DB31C9ADF142452C84CD39AA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:21.391{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651532778472C82703BEF07AD8C23794,SHA256=86B52A2F1334FFC551E25261284EB6C299CC36522185F316000D0B72486146DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:22.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A937BC1FFA9BC67CEB2A07C630069E69,SHA256=01595716BFBCF4C03D70654FD534492311ACF5EC8D9DEE12791D35F57CF9B874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:22.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD22209F4CC7D9AD670BA3FA46C2715,SHA256=2ADAF12AA0CC1146051C816E4A2B425151C0F5930D69174239CDBF811BC2C385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:23.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC12A8DA54ECE707F419D3E99B8E6103,SHA256=AC30F39EEF7905A89B0A13828DD88607A232C419052C2756314D3CD9052F68FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:23.454{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB611AEBBADA92D68F29D43A612366,SHA256=ECE71BA70CAA4D144FC3CEDFD2F43900A930D02B7782DE9B1E8D6A715735884B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:21.638{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64631-false10.0.1.12-8000- 23542300x800000000000000050023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:24.632{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33926F49C5CCC9E1A18A19597B63A05,SHA256=65EC264456F1E364EB51DDC03BDDB236AC89EA3B40147C28AF925EEC02883A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:24.563{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1433E2DBD9FD2B304332B07B313A34FF,SHA256=39449C021BEA634999A98A90A4825C505E7C6A1A6E7A716029A9DF3696FB9DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:25.650{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B582870A5B26740FF0ACA10F713327E,SHA256=D14F322239E68897830C676F15E692B5CBC09A70D22EB22D8B296A5A8780DCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:25.563{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC198D38CAD5200298A4818330CA72C,SHA256=CACB6842A7C23AE5A142839041D254508BA72C16408407D4DD144ABD4323E939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:26.665{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027E6990C64652614F94938E70011A4C,SHA256=EDE363AE8B797045241CDEBA23C0F0EBD49B9202E6337676D740D4B4F39B692C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:26.579{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9887A708EEBD2452D9A678F6E3168F9A,SHA256=A02FF5E144AAEAD8C9B7B1D7ECAC9ACD3A5197F445705B5F832D8CF11A12F8D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:23.907{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:27.666{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFADE029E37AD6105BE4B1005C557F9C,SHA256=2FADC3BA719E446A944BFD40845CD577F62EC2702B73E545F8758DDD721DA95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:27.594{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DEA8A65822EC2AADB4A2DAB91492F6,SHA256=368544FAA1EB5ACBB736FCEF085F439D5939F5D31163F0D7DA9394674DF5DB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:28.681{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029DCF41AD5A2C5A8402D4534DC25D05,SHA256=3A61B42AA64D877F096194215320F63945396C02659FE1C6D27BD8B5E3235D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:28.610{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1160922CA2DE5FD0BA3D8EBDA347C55,SHA256=4D6CA18FE73EB95CDE4C0D4CAD13F40EC6080C6735C8DEFC22C022CAC696B70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:29.696{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A4A715781908E48B4FB4A2C1EDB732,SHA256=0D57463B28FFE608AD4D4C95FF0C814A5620027342D3CB46C9444A15F1B9A586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:29.630{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B81647BF53B3DD3A93537134263B322,SHA256=D7483E1DB8569EA971D88F21200BC330EB82050D12D2401D9046003E7093F8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:30.711{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0454E8145538853CF3DBD2198D96A673,SHA256=C889DD777D9540007FE7700CBA5C152AAE9D0B14F5D941AE4FAFEB8545DF6E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:30.662{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C374A07887E9BF7F85085B5B599D759,SHA256=3AC084ED5E0281E2B97D808EC332F288E4D11B3FEA92983E64256AD9C5D73022,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:27.562{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64632-false10.0.1.12-8000- 23542300x800000000000000050032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:31.730{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB36446F8D5615DB3151D734E76EC1B9,SHA256=8B6F6EAC20D9A371B0DCEFA9A6E02CE333F43BCE7AA0F9490AA97C43411975F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:31.708{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C7B74BF3B61B22B8B7D4DD9A9434F5,SHA256=A1EF7E12F262EEDEDD0FB0C4035099E3BCE97575D78832F11C5BF3FF2EDF951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:32.895{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:32.748{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBEAB560969FFC62F10203568C7DDDF,SHA256=91CDB4706318FEC314A58D5FDED0A93AAFC5F9C3C964E61ECE00996DABA1A0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:32.755{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC000F0F54A7062C5BD79E5913779147,SHA256=E7780F72B119A646989F9C64A35DE69B0857271AA9E958D7CAA04E652AB08DD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:29.833{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51723-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.962{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.763{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D28A669C2334EE28BE1C46AC1C2616,SHA256=7E6A526650B93F8848341AC041F0791A796E1A6172633579F31F2EF304E51A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:33.771{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE8E2C17F690E8A9FD448D2938F4AAC,SHA256=78B02646870C447B655773EDC819724C2CB16AB6C1647A9FC2D8EA81E3F05872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.131{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F97FDC68253564D8E67E13D23771CD,SHA256=56FB1EE72EFB488BC0209973791E720D2225BC804933BECA9D0DA0E80186E33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.130{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D71D0AFDDE92B3EA9815773610A268,SHA256=993287D9F02BAC3A35966C5865FC30ED3662351C3E90B04030364F06071C027B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:34.778{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FE02CF37DEC591569FC07DB2E7A82A,SHA256=E79136F249D59766F33F9EEA0A487734AF66BEBBF58901CC25B8436415062185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:34.786{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B594125A2EBD96E323F61883C107D3,SHA256=A9F8A48BEB0112CC8121B8554C2A01728B4C711C8D8B32BE84EE910BA8628344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:35.808{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5068EF9318E52F0F1A894D0656921209,SHA256=05C6F0F896E739583ADEFC145424728E7C91C08C72B27A4B3522F5889C514FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:35.833{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44613196067F12D25AA82821469062DD,SHA256=C5E71CC90CCA547984C813276BA752F99004C0F47761442525D93B5C490A545B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:31.545{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64633-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000050040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:31.545{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64633-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:36.880{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1704C6C3FF7696E2450A9DEA72E21A14,SHA256=D992AF9CF9E7924D62ABFCBD15350FD60B013CB44D6403E913DF568FAF4A49AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:36.846{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7068F81A45B8ADC51E26B437E0D48492,SHA256=8120534A073A2BA18CCEB72AE6FD0123A6F9313492D61CC8B5C7360B5AB2A1AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.480{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64635-false10.0.1.12-8000- 354300x800000000000000050043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:33.381{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64634-false10.0.1.12-8089- 23542300x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:37.880{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292C6BA1A239E3BD5913455A9E18EAB7,SHA256=EFAF5C5445C2E8E17AA94302FEB9101115B1F5C31344F2178E2D3EE0816EC9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:37.876{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44194E11714B97D76B7708186462BD5,SHA256=2474B1EF99C5317D8B6EA9302EC3895EB95E05F3484DC05C6622D449E2BA5458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:35.005{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000050048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:37.761{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000050047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:37.761{82A15F94-371C-6112-5301-00000000E501}7603772C:\Windows\Explorer.EXE{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF804014DA8A8)|UNKNOWN(FFFFDC8B5B4C5B68)|UNKNOWN(FFFFDC8B5B4C5CE7)|UNKNOWN(FFFFDC8B5B4C0371)|UNKNOWN(FFFFDC8B5B4C1D3A)|UNKNOWN(FFFFDC8B5B4BFFF6)|UNKNOWN(FFFFF804011F2103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:37.761{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF9ff8c2.TMPMD5=A72D704560554E569A1F2F3E1B129657,SHA256=A22BCA897F9BFBB1EB980CAFA2CF52CD83079651FFF0F1FD8FCC960A60172EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:38.911{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E93DA9CAA84B45CB1FAAEBBCF7DEF1A,SHA256=AC38705278F494D2537E0AE2A33BFB0C83119E573BE9AB6E0D796DD6144228F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:38.891{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970DA015395E8A63BFFA8B2FA8E5DAA6,SHA256=D09B07E5B7BD3BAD0249A1B00346CB11DFDCF3E1B9153D10A1F944BD45A219D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:39.958{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7401E691FD016E9ABC60060A3A169233,SHA256=6EEEB2A9194823DF09A7EC6A34B54334A2C4B4407554BBC717B8A2019F132A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:39.906{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABD160D71AB3498735F974295229807,SHA256=1B0676FD4E053F0837CBA5018F780F96A6E76642E1FF326ADBB4A0307E538B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:40.974{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290E2ADB96946578F7B5F966F00E050,SHA256=FA694D3C2B2B84D186B7F9D97E8430DB0F6D90D1489825C9DFE4B9A6372D95C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:40.907{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F507BE8771A6A3D32C24F72B287579,SHA256=F496B9A01382E486DB1482462D05FA28C10C0A3A5A0B6FAD4DDE1658155E4058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:41.924{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EB02695F445EF05695C887C10CB983,SHA256=F5F86DFE0F86A78F9815BE4DBDBDBE1942708D4373A196E3F22F0DA34F4D8C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:38.510{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64636-false10.0.1.12-8000- 23542300x800000000000000050056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:42.942{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8D453CB75ADDBF9D7C7B58DC227FCE,SHA256=B9FEA6FEA34D50F0FC27302328EA03794C4E729405CED0BFACECE786F91E4D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:40.958{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:42.068{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB4DEC94B4759DBF05D01D6E0058EF,SHA256=5DEC59FE81A3326C3C91634EE0E49B0CC22651AF9BD24D36FCB4E7761F37F1E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:42.106{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:43.957{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4118CCA841670845A4889F5BCE3E079,SHA256=4FF95963277BC817C1462DC0296F098913D990B498E450B41A91475B5EA0FF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:43.099{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C5102B8ACC832796F700ADCEF6FF7,SHA256=94A686EAABCE786EDF13E1CDE58CC3665B73D21AE7FA4343980E9A1C28589B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:44.959{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2147F0961E77EEE6335BB33C05E90FF8,SHA256=227E676786D1ECF6A9D114554C6B67AE1A2C93822EC5158CBA67FC9D281DA906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:44.130{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB96C6BF1599AE1CBB71DF6D802FF7B1,SHA256=7C203602117AF5887A136D5D86FD6FF192DFED722514175B0EC2A1932806EED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:45.989{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981FB0F341CA472748B5D6B7F895386B,SHA256=567ADB1F8263DC7C640A0258A5DE5C8AA22221BC4914AFD94F484B4B1C66D27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:45.146{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701420E634F1259F20D5B73E6C9F9105,SHA256=3A63CA6961F8E3237146413FE5C325822C20769DD7294AEED21CF7AF1ACC1076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:43.557{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64637-false10.0.1.12-8000- 23542300x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:46.161{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56077B37B2C757F0DCC502B777D7AA0C,SHA256=587C4466DD1491FCEC31E9332E6E8C20600B2EBD2370AFDD3A243E480EF362A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:47.208{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AB978EE487E1F076E60D0C61EE51CE,SHA256=B096BF208CF6CD01B6D0315E8153026223E5CF77EDE0432EB3F161A7B4336CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:47.004{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52812A46A8E9A1785EB55A209ABFE4DA,SHA256=9E0E0A0CB34702BEDC08B296E1EC6586AB00B4CFF00308F1F625E5FE624C72B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:46.958{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:48.240{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543E17A7EFCC95806655F527A27F70C,SHA256=4AB3DEFBAB2ED8ADCEABDE8D98D7C4EB5E2225BC6B45CE8FF47A5545855610AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:48.021{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F39270E954AC20A427C7D0D2B40F83,SHA256=5F336E0F6582115FD2FAD0C7A203EE9E91C395610B2EAB9CFFFC545F76A00655,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:05:49.460{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd7-0xad3c374a) 23542300x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:49.286{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493C403D59477144F9222F4BBE684ACE,SHA256=650A41D093D2295ACEECD1693A892CB517EAE874E9806361B48E4CA0E7F63BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:49.055{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B990BE919D97D23115FA3C366280E7A8,SHA256=0DDFBB8159B251C626225BC8BC525D5C33DBF07EABBF68ADBAB31713D7EBCC1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:49.209{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:49.209{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-456.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:50.304{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2581284732F2730CB33A9E8254A9D30D,SHA256=28B63AF0716DFAD479B571B3A95BFD672F04F09C452F4A0919EA0464CAF48B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:50.086{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AED7A79FC58E7E823D12569B9C6869D,SHA256=57AF9103910C649307198C1994A4DEB8A6E3253E2C177E67D4A495C5D9536181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:51.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE70883076E57A4BBF00064C1474F15F,SHA256=24B09813C03AAEF7D8D7B6A61519E80C0B7632238E4095D3795D3479C5DE95C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:49.473{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64638-false10.0.1.12-8000- 354300x800000000000000050066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:48.878{82A15F94-3493-6112-1000-00000000E501}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-15.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000050065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:51.101{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84788E6467D83F9D6819DDC7D4156E9A,SHA256=8B3061A3C4A04C0D5C641DF4473B12162706EB96621EF764FEBC3CD3D7B4D34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:52.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0907E78FAD56167C0562719AE5F3227,SHA256=C169A53D01BE0C45B6B4CF1E6E837C1B3DA74ED9AD6E66887FFC02A334884BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:52.335{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C39AB629599B61C83BA5878712C1C4,SHA256=B6A4FBC7801D7E3BDCE966C8B727367053B8B618C06622B58F12DD13A5078F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:53.382{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDBE14836FBCEDDD6A7A073F8ED75AF,SHA256=4A62060342D694D4329EC3A33B70BC15340DF20DCEEB658107A6815BBC4BA4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:53.136{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E720AAD6E8E008CAFE347A81BC3A7F,SHA256=1BFD1A9E9DF20F9D8844769742847F649ED16D79E481B342C55A9A6CC806C008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:54.445{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC768041ABBB665E5FF62C8CF9140CC,SHA256=75317D4C8818DE550C13DB7AB0F80F7135CFE9BF5199804603DA1B523364B2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:54.137{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691364912422129A05955EF7EE026974,SHA256=9B279C4390EE120DD21B3CD862912E6F4E4687AB87E440B161ABFCB64B638FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:55.476{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9CC148486BBC4076E9539F86A30D4E,SHA256=4250E4B38CD1541CA837B40F817E93056C54C2CB95A481744C816204DF1B3407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D93-6112-AA08-00000000E501}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D93-6112-AA08-00000000E501}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.368{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D93-6112-AA08-00000000E501}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.369{82A15F94-5D93-6112-AA08-00000000E501}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:55.153{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B510B9FA743BF67ED5AB08EBA17AF5D5,SHA256=8E7264FF6DEEFD73144C846DF1880FAA5C68731AA17BD95C79EC7E19FD8A11B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:52.882{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:56.523{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3983F08F724C778D5DF2E502298664BE,SHA256=E7508E0AD4739EC6BD313BCED876DC6555D41A84E2EE2175A15BD562EA2DFB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.719{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D94-6112-AC08-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.717{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.717{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.716{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.716{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.716{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D94-6112-AC08-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.715{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D94-6112-AC08-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.715{82A15F94-5D94-6112-AC08-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:54.687{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64639-false10.0.1.12-8000- 23542300x800000000000000050091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A29542E244CD2D57BFC136625D9C78F,SHA256=5CE8701D9998A2A510BEAB8306BE4297B34EC240DA70CBB6B4C3BF15B9C13EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.383{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F97FDC68253564D8E67E13D23771CD,SHA256=56FB1EE72EFB488BC0209973791E720D2225BC804933BECA9D0DA0E80186E33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.219{82A15F94-5D94-6112-AB08-00000000E501}61284892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.167{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE2228FB2A1214D3B6B2B4C8D6269AB,SHA256=AC705C5276E39DF38D4606B372994D5F822D1FCC00ED61A9EBFFCDBDE04EE4B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D94-6112-AB08-00000000E501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D94-6112-AB08-00000000E501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.052{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D94-6112-AB08-00000000E501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:56.053{82A15F94-5D94-6112-AB08-00000000E501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:57.554{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF43F38589280F92A12C0BEA974B1E,SHA256=CE3236EA3868DF5B53E5BBF20419C46FE4976D311D7C4A51589D4EB445C3E62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.719{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A29542E244CD2D57BFC136625D9C78F,SHA256=5CE8701D9998A2A510BEAB8306BE4297B34EC240DA70CBB6B4C3BF15B9C13EE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.651{82A15F94-5D95-6112-AD08-00000000E501}41565084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D95-6112-AD08-00000000E501}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D95-6112-AD08-00000000E501}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.435{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D95-6112-AD08-00000000E501}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.436{82A15F94-5D95-6112-AD08-00000000E501}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.183{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994538BC68FE023D737664150B8EA1BC,SHA256=25F5055C0EFC7CA465DB83DBE0E9BB2C5A442D3A69EFE7A2CF90C3BD3A92B01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:58.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE82B75EBCE1E0CE169F2C391734DB9E,SHA256=39874A03F371161E93D9AA2F507F594434090A810E3003203931FFBF9FF854AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.835{82A15F94-5D96-6112-AF08-00000000E501}22644996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D96-6112-AF08-00000000E501}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5D96-6112-AF08-00000000E501}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D96-6112-AF08-00000000E501}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.682{82A15F94-5D96-6112-AF08-00000000E501}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.198{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70B040ECC84F2A3BD8DE2C4F45C6DDE,SHA256=DF1BEB520880C1F1A143CE8F253B83561DFEC13625D588D12B125C921CE246D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:58.151{82A15F94-5D95-6112-AE08-00000000E501}49723468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D95-6112-AE08-00000000E501}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5D95-6112-AE08-00000000E501}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.998{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D95-6112-AE08-00000000E501}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:57.999{82A15F94-5D95-6112-AE08-00000000E501}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:59.601{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2650A4D17D817C6E0E5AF636AD1D082C,SHA256=8C74903FA0A2ADBB000767BE77707E571897A7671F51E00B1E57BF62AC17EA8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5D97-6112-B008-00000000E501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5D97-6112-B008-00000000E501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.351{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5D97-6112-B008-00000000E501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.352{82A15F94-5D97-6112-B008-00000000E501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.198{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EE3D1DC8AA7F31242CE721CD91BA68,SHA256=654E21DBAAECB07FF380E8D469E6696409BDF1F0FAD839AE1F3BCB14DE6FA235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:05:59.018{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69CCFB7D4C836088C3C8D7143F7C8581,SHA256=26B61BD2B212687C802DEEC154E2575727DD471D48655A4F8AB0C6B0E8347E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:00.632{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CC3EC5E7F8793DA45A8C3F2D290024,SHA256=AEAAF1026E393F42CF179D2224D8BDAB3B004F43E73AE07EF2EFB808C0AE0F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:00.369{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8CDAB4A5A81C018AE81B7542EF7C8D,SHA256=179AB453D846B3EB82D0549D95945D90E64FA254BAF694022900685B55EDE439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:00.238{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA37ADDB3DACEB5F665D084A14D408,SHA256=2ECA6D82D1CEEED7C3B06B174328A759B0119B60269E1C2775B986F781001F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:01.649{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952ED3F895B0FBBBB47A8CDC3FFC4BD9,SHA256=D4A4484570E52B9DF85E95DD408043C9C63AD18118459F11BF6615BC03064A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:01.269{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306E93252CE5EE3813B91CBCD50E3732,SHA256=F6808B9F3BAE647D7784ED571C22DD2BB3EC629C39F52EC0F7F48EF6E1B314F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:05:58.929{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:02.679{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6EB16A6E884952CD875B6F114622D0,SHA256=EEC74BE14BE27D21FE3A095BDCC931B0C34CF47E8DC6FB8D1AF2468EAFDF1FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:00.635{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64640-false10.0.1.12-8000- 23542300x800000000000000050145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:02.284{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241E49C0BC0A92B199E90642F8C44D02,SHA256=5ED2D162010E49EC3AA95A75E9E9270273B2C04935235FE92D461BA3E8AE4DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:02.237{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D129780ED756C307ECBAFA1356E3E792,SHA256=1C66F708F72F4254DA7831DADE537552321360EEC0543A80F913CCA78018A4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:03.682{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F7A084CEC0A758FC94D2CDA4308BC0,SHA256=616049BB7A165989E25AD828B79C7516076A2E253F1527F5BAED15EC565171C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:03.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DF8D9CCA2F3EB277847259E8486727,SHA256=6D45C3E0C754E0E28C53926BBE65CB279AF029ABADE92BADB989C84D30EE00A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:04.713{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BECA7A332F336749E7709055B6BADF1,SHA256=86C74D7EF658F6E8EB92137E017CBCCCAD0900C4E3FB6DA4975E752EDA23C00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:04.335{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE2E952D079CD562FB372E723C0616F,SHA256=F4C01B48F9A199385F210CF7712C5907B3749DDED8382F8023B04AF27EE2729E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:04.291{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:05.744{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4CE355A843DBCFF74D78B3EA1994C0,SHA256=BB128D662D1AFE2F7D8DFD3C150EE63E8B6ECD6C3135D8A2BDA6A5E1FEE3E3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:05.350{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B94EA9361147B1F4DF1FF57314F11,SHA256=631DFEA2FA9A2442547AC40C626DB77F86607939F895C146F331AD5B2BD5219B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:06.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7232E76B2DC248C05E9A830F10CF5C8,SHA256=58D0C378F17C0F0A9BA500F1ABF3CF70A6E3BBC5199411678E2CF6C0D6FEA900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:06.365{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29C4F624312721C7B6573D0B0BF3403,SHA256=536A7AEA35F7195DAFAD7DDF2DC24A824AA3F2D2192506C6C8C114E3D7141302,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:04.041{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:03.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:07.775{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69651D32436A74B64F36C6E3E1E332C,SHA256=E5C3C40809950B9A496B2F80EA4A5FC05EA0957D75BC1D0950D9738DFE6D96FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:05.668{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64641-false10.0.1.12-8000- 23542300x800000000000000050151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:07.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F32561DEDDFD6F5A98EF33030213987,SHA256=2488A02C21B14EABB63397BF5A31FF656C5B79A2259E6C174BE833F78347E1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:08.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9130E37509809DF50410F54C0A61709B,SHA256=47F008FE13039CF36F4588A64E2AA5573575BC091C643B46E5E98BC88DED95A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:08.396{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF18BF0A645F39845A5BE71F1D8056B,SHA256=2BD60B4680EBF345652A8AECC8BBA722571DFE7926A844DEBDC8DB3829B902C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:09.831{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7DFF6A36E21EFFA073EC95BAD3AC7B,SHA256=272F34DEE6FA7671C3AFBF91AB928E3F7CCDEE73C70B0B70B2BC0EB76FE3BCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:09.413{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C7C76FC6E1329710C55F4119D7D55A,SHA256=B8934D158EA809C0B177F1D6D693ECCAB8D133044E26679D81EBADF4FEEE1EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:10.878{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B00F2527CA3B51F01EEDB66C61DF5F,SHA256=3C684C55C1DB2718EBD2BCB83A52DFDD6848DD520315FB97F844C605E79A3CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:10.448{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4DDD31C7E8B9967F7B2FDFED9836B4,SHA256=3E3B0079F191826B2E6B4F21ADF55577505A540654A66046DFE003DC772F0211,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:08.947{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:11.940{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D108D56B59B412FDC0FD4A9DD3C46AE,SHA256=2375E5C70A4493E0F96C4397981773CAE051DB469D45EB133F62FA9BC2F4EE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:11.464{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB43835BCE21B02EA5B42A03400C7C3D,SHA256=7515C2FFA62920153017AC9FE745B9607D05C51C1643DB02BDE3CD7372B843D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:12.956{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC2BAFCFC5BD6DABDC17CAAA9D57ACB,SHA256=B7E6CED851773233E0A9D799B1B5C7909DBF1CCD7A339802329604E4B02A0239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:12.494{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD60A9F8A6BF46C272C3FCC9F336551D,SHA256=8D23C466654186E673E1421B82046D7B70D1010E631F6F54D17593341973B4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.971{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18B7E8377695FF34FA4711A7154FF6F,SHA256=EAE972B4848057E2CB3B2F9BAC2D568EF69524BA1EF3C2D489BD9F38E156C680,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:11.648{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64642-false10.0.1.12-8000- 23542300x800000000000000050158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:13.578{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C042E2694414F0A144E16CEAB212ABA,SHA256=63B82DF4CE97E7AC11920C45CE5F71A60CD336EF6AE642FCD5D0E219AB876D26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA5-6112-1A07-00000000E601}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DA5-6112-1A07-00000000E601}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.690{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA5-6112-1A07-00000000E601}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.691{82855F7C-5DA5-6112-1A07-00000000E601}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:14.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F2FDFADB8CAFA9790C96AF9B0CA014,SHA256=0347A38180E5213F594768AD331F691E6162A6138768809080BBE73CA9A9C0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.924{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D597199A18639FEBEA0BC657E8E72D45,SHA256=B297B602FBF25C288039129B15240D580BB3A83E788FA3AFE1E8B231FA141B07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA6-6112-1C07-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DA6-6112-1C07-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.862{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA6-6112-1C07-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.863{82855F7C-5DA6-6112-1C07-00000000E601}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.846{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BE3549A77F34CF24D3B70E1A542A08,SHA256=FCB1D84AC36BAFE2A03005E234B1B11CCCA1DE2D61F6770311D8CF79C2EF3605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.846{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=993F8E95BE977291C354FCB1AC6CC9EB,SHA256=E9585D5335E258EFAC989197865A33203E836D3F883EA339D666CA05380E4388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA6-6112-1B07-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5DA6-6112-1B07-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.190{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA6-6112-1B07-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:14.191{82855F7C-5DA6-6112-1B07-00000000E601}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:15.613{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024DDFCC38D0E060F5F4DDB054CC4A1C,SHA256=82419BD6FD8E3BEFE784284527EF7B0F73E9FAFDE1D42438F3B4B7B4AFFB6124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA7-6112-1D07-00000000E601}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5DA7-6112-1D07-00000000E601}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.940{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA7-6112-1D07-00000000E601}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.941{82855F7C-5DA7-6112-1D07-00000000E601}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.893{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BE3549A77F34CF24D3B70E1A542A08,SHA256=FCB1D84AC36BAFE2A03005E234B1B11CCCA1DE2D61F6770311D8CF79C2EF3605,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:13.971{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.331{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E33C9B04835468C064F89186382AE32,SHA256=2245418FEB9538F50A02C7EB1CCB742A96AA8C0F0CB2702A1926BE8E73D02CE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:15.049{82855F7C-5DA6-6112-1C07-00000000E601}9561044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:16.629{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D3CD73A2142B157213892D799EF6E0,SHA256=70BDC68C55F1B71D82496A234B33719AA9103A9EDF5940BFF3CE5E1B8D9418A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.784{82855F7C-5DA8-6112-1E07-00000000E601}6281148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA8-6112-1E07-00000000E601}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DA8-6112-1E07-00000000E601}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.612{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA8-6112-1E07-00000000E601}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.613{82855F7C-5DA8-6112-1E07-00000000E601}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8918FE62ECF67D8F65494DA9C9E73017,SHA256=C8B957E672B55E8F68D822323558B09AA6E78838F2A467CC46C71311B1004CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:16.096{82855F7C-5DA7-6112-1D07-00000000E601}17722056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:17.645{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598120F9072728ABE62BE1F344FD9D4,SHA256=327ED5AB9592B8EB4DADD5413B09C176CFABCB95942B5E35514FCE0082AD17FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA9-6112-2007-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5DA9-6112-2007-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA9-6112-2007-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.956{82855F7C-5DA9-6112-2007-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.424{82855F7C-5DA9-6112-1F07-00000000E601}26361976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DA9-6112-1F07-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5DA9-6112-1F07-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.284{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DA9-6112-1F07-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.285{82855F7C-5DA9-6112-1F07-00000000E601}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.253{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F39F5D7937F66B2A6523E683BDE7238,SHA256=D623776E7F2E4EF8FDAAAE19634AA8E10AFCAFBA6F40CA039B4E1E012715AE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.096{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.096{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.096{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:17.003{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90BCE17C0124CF42E968D64EA0C9E948,SHA256=0A31CA3F46F295CCD5A2BCDDF4D9565B40AAB56E7F928B974DE5FC0BA9FA40D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.729{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.692{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000050167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.677{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000050166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:06:18.677{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6944.19.92868483C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:06:18.677{82A15F94-3D8B-6112-CA04-00000000E501}6944\chrome.6944.19.92868483C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000050164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.660{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE55ADF38B6489A136259D663AF1413,SHA256=19C398D87D4FC562229F67BD81911380B5D960F6F2AA9B84766D3415EBCA9E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:18.596{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5480FCF69251C89F274B9E707630616,SHA256=B117F4BB28A50699FC48B83AEF61D10D48070EF60FB85820AA63DE545E6B5A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:18.284{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC3E611C915FC27FA9DEB2DCF57C2D21,SHA256=54D04D5489CFDEE61C60543BC0535FB285FC2926C0FF2C898CE4F7832A8898FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:19.691{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5A3FDCC1F9DFDBB1D6715F876207FF,SHA256=439FCCB2FD14E322A0C4F4D0EC979B1255EA7922F35319ED74E024C3C6B43116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:19.331{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6043092E3BC005E9572D67A7896E1A00,SHA256=A02CB152329E852F87268BAFB82E40440C8AFD0E0BC4B0A987A53885DEE295BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.891{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.891{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.891{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.728{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A379A3A50F2E36DA614B05B0C5D09C12,SHA256=1B5F715C1DB9443C8AB4EEE081192388661E21139F3F737281B0BA40E923525C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.728{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059196BD01298EBEA79DC2B4D28F8425,SHA256=5D2DEE6029F2D40A24DC3E52D5414B7810BC41639D625C1FA130E145119868AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.691{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E46F922F44C6E4A816D8DCBD40062D3,SHA256=4FD99A6D9CED9DF351099DB1E9A7CA7C47C4C58D50EBD528D1C5931794AA2E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:20.346{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC69177DE2993DA58AEDD66F85AC0BF,SHA256=29D08D76D3305AE96283A10F176702282BBB36A6341B3706009C0B6B74FA79AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.341{82A15F94-34A5-6112-3D00-00000000E501}3504C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64645-false169.254.169.254-80http 354300x800000000000000050174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.340{82A15F94-34A5-6112-3D00-00000000E501}3504C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64644-false169.254.169.254-80http 354300x800000000000000050173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.327{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-35030-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.292{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-34491-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:17.678{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64643-false10.0.1.12-8000- 23542300x800000000000000050185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:21.710{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6371C7A2732F9483C9BE4BE35D40D8,SHA256=05705F6C978A35381720664939085AFAAFB90432844B753ACB0B1A0A9E7F7CA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:19.846{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:21.378{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AB7A012BAA50F7DA56796EF51BAD43,SHA256=58EA4DAE6EC38FD0BDC683F482EC00ED6300D48DB1886F7D1A3D3BA5E6C0A326,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.509{82A15F94-34A5-6112-3D00-00000000E501}3504C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64647-false169.254.169.254-80http 354300x800000000000000050183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.398{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-35125-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:18.384{82A15F94-34A5-6112-3D00-00000000E501}3504C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64646-false169.254.169.254-80http 23542300x800000000000000050188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:22.861{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A379A3A50F2E36DA614B05B0C5D09C12,SHA256=1B5F715C1DB9443C8AB4EEE081192388661E21139F3F737281B0BA40E923525C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:22.730{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228069BADB9FCE8BE1AB4BE68F518D2D,SHA256=3F5135B79AF544A9EE5C4A7AC7B0F77D0329ECEF94E34AF912F1B99B43D2AE4E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00991862) 13241300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0x5ef24888) 13241300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0xc0b6b088) 13241300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0x227b1888) 13241300x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00991862) 13241300x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0x5ef24888) 13241300x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd7-0xc0b6b088) 13241300x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:06:22.768{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0x227b1888) 23542300x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:22.378{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3A6FB0E26247877C30FE49A5CCFE58,SHA256=C2C75F0C4A598231E799CB1F5E40530B2768FB5930304213F78600DFDDF95FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:19.409{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local65535- 23542300x800000000000000050190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:23.746{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC66804FD9B642FE2CB0EF3692A59C2F,SHA256=58E48A0FBF3D072413731DB747DDD1792364BB8B4EFC459BA2F192C422B42146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:23.409{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4124FB1A82415D6ACDF1CBB8F9ED304,SHA256=4650125359896FB2EA49C0459C45CADADA071855D0D35348F1F42ABA1AEA351D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:20.429{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-39322-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:24.792{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086D3B17D480F60EFCA0FD69CE150950,SHA256=9DBF2278C60A91E9A2B5CA619B9F1F7AB21DA7BC4C9AEE4C17E928D5B872C968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:24.424{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A892411CD38F087EC048751688B7B4,SHA256=FD259DF1FF32A1F174704D10F9946D3E34375F25B44A83564A715A0FD958465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:25.792{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C940ECB79BA078C6532D5DF7B20E8FEA,SHA256=71DFFACA7D149358B050BB2EAA7EDD17AD522D1891E54BBC11F52C8F9ECE4CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:25.440{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C38F4E206FA04867B767EFDA441A51,SHA256=BEFAF50697C11FA86CCD45382C8377FC539B8BCA06D6D3BC78434494FAE75535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:25.210{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB6F2BBBEE7F4D86D08E3ACE87F334F3,SHA256=A50C8FC8ED7AFB57AD231AFBF5EFC446D898B85A308523E832E7B9F1A30CC576,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:22.736{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-43548-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:22.680{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64648-false10.0.1.12-8000- 23542300x800000000000000050197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:26.792{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2972E7C0EA65192489033715DC8878,SHA256=93942ABA5CE7BCB9400926846DD08662A812CF566513073344D9DF690D1CC2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:26.456{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:26.445{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3493-6112-0C00-00000000E501}840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:27.519{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697D95D7AF95DCA43D6597E24A81E397,SHA256=4F385A9C09B48F80ABED2FC43EEEE821577C0395AF2601A62FA7B33D9CF58B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:27.810{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480D41007111F9C4FD65B23C5DDB3E18,SHA256=E64FB8A61730D378CE96427C16845EC361C6F7679949EA683970569D8F37DD29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:24.986{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:28.829{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0911AA5D0E7EC4696FD6C03C24A3176,SHA256=951DB79DE6FC07BE8877925BD02114C9A09C7C80A176D1769F77E3C5BCFB4666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:28.534{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533CFF0E0FCBE44B9B95BC07E0413534,SHA256=1EF7FC22FB50C666D51EEF5FA0B8ABD1A41C2A952ABE193AD926795478341746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:28.245{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B252D265203CB4AA92BEB3DF17029568,SHA256=1B774D329371F5214D4569AFBFA59D9B646B966E444543D01B4370C2FA7BDA49,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:25.381{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-49719-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:29.846{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3AA2682255EAE2F9D8D395AADDA3AC,SHA256=F42622574837435A451AE4AC4937ACE6FED9E06C45091A546CFECD957C39C31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:29.554{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC01B50AABB9D5BC55F56F14CCB6DF6,SHA256=03E20B51BF7CFF35E665D20A7F412593E334981A67EF8E9CD0EC4171D1688335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:30.847{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D388195A1E6690EB9C5529A9788DFC,SHA256=085D455AD00CE1814DE9E14980ED1A7FFCA138ABEE9FE264CA641A1CA20AB57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:30.585{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B280894BA6DC11638E7ACE0DCD88ACD5,SHA256=04512976271BCA53337E7F174F8518347070790612AB1D61B878FCA8F9F91A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:30.747{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:30.712{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2009C9C1E0C3E2052D75304DFF6B1924,SHA256=D8EB3E2F705463AECC726089D8934A5A2883E22B0149B1DB07D75084425F8744,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:27.934{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-54296-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:31.912{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04399EC6DE158AA456C5326A2763761,SHA256=F177211C7DAA05C1F57818EA02344B96E3F1F7403645F1CC76FF9FC920FEE136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:31.601{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06084AB4AEBDB1AEE46E765D8A48763,SHA256=1FB07A9487054A2AAAA09E12F6B45A18354898C66FD28922D0FE62098261C53E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:28.625{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64649-false10.0.1.12-8000- 10341000x800000000000000050207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:31.309{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:32.648{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5C53D38119888DE6B1AF9E21404C85,SHA256=48032F94B53CC0A31770A8C45A0150FCEE18EB7450B6FF731BF3BF5D525B687B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:32.914{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A673A5C072DFE9A9120B253465A6A4B,SHA256=0D624249103612238B240493AEC669E2AB52C865C717880B9B8036A9FC668B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:30.259{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-59029-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:33.992{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:33.961{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E2EDABDD92D2501DA33178D6602F2A,SHA256=A3ED0C133071A44317B6882854C2011EEF507DB8D5BE720FDAF24199E7DE3697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:33.663{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14425EC236CCF096B893AD2D3A706AC,SHA256=BD43408461BBE5DDC54E4A8AFD524AFBD53E5BAC7A98EFEC223CFB2413C295F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:30.991{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:33.130{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589839A6BCABD94DC4379C5F3FD93A84,SHA256=D98CFE7899527920D42D0C05A8EF626587C3DEC7711A71A4F40AD553CA5D6E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:34.976{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F304EAEA08DB334133A63F350C4E162,SHA256=95789CFE995FCBCD0549378B201C1F8F128819CAD925F80242AE5B17BE36D9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:34.679{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D33E6EBC6855A65000F99540E0FD5,SHA256=55644087CB9018E4D1EF4DC56507D4E59187AF7FFEE0CB3569606B81565C0EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:31.565{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64650-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000050215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:31.565{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64650-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:35.694{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF2AEC9D337C3AAFB64904FC27A7D,SHA256=7A1DEF873AAF5D2D1D026F32B91221E14A2EE69164695C779B95F950C3A7B0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:35.460{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95ED4F8A1003069214B3565DF79F775B,SHA256=5B9F07B0DC86898C551A7C90EDA648AA4F50C2B4ED404C897EF296E2A2568A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:33.410{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64651-false10.0.1.12-8089- 354300x800000000000000050218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:32.727{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-4956-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:36.726{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26535ABD4C912ABAAB9A6BB2ECC20B5,SHA256=B16A9A5A1B20E987766E42EF22FE93423593191D19CC8CC7218351B71DB59131,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:34.594{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64652-false10.0.1.12-8000- 23542300x800000000000000050221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:36.009{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5FDF3972EC4330D1B612CAFAFDED29,SHA256=22C5DCBFDF3E5BFA438E53ED28898D266AE837FCDB36FDD43FCB704F8FF2ECD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:37.741{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD92206C7B44ACB2FF3847BF980E547,SHA256=F1AB374864298E45E7E2C638CB01703427FC175459EAC3039263F642A201918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:37.774{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BFCCB445DDD66CCF49D1F858D497FD6,SHA256=2A1A7D89C30049E879562ABFA9F8116FD053E37BF7A7D60E77EA4C394F451D36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:35.156{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-10005-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:37.027{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D82EF36591FC9DEDC5A2EF6C12B9CF,SHA256=D6DA1E0034C12BD78B1041F1A62B3DDBD184F31FD597313FF3A733AF24AD0368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:38.757{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B872867788CBC773B43B5EB7E319C3,SHA256=717CADA56758269CC62AA8D60171F1D16D26F5F5E44B2AD5CFB7918ACDD86B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:38.028{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F839AC4CDA45B4793805198351EEA7,SHA256=B092C4BE04A271B1BF4EDC39A036944312AA670666C1AD73AC358E9F4A819A35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:36.866{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:39.804{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7DE9B37815EB22F57B7FC9E263B55C,SHA256=F10B168A9C41E36B9EADC80B71EEFAAA066BD0515F4B3F0E25ACB77E0F8DF986,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:37.491{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-14571-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:39.044{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDDC8A8EB6B857DEAE80DEE465A6648,SHA256=6F27AC18EB0FE7D626000CF272D0D398000BFF5932D028799B3D0BF522A403B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:40.851{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E7AFABDC2BF9D62FD17745D88B3B5,SHA256=1D160174EE08F3A01B3F4FBB850AECC3610596469D4A75E38A406E4FB68D0066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.907{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.906{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.905{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.174{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4EDC19BEBFA8368BAB76AA828122448,SHA256=8C21E795C9BCF14A4C637D1C393536261AA0433E2CA7DB70B0786088E5D9FA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.059{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5054CF2F37DC84FCAA2EF6570A4E4B,SHA256=D2B560AC2E503BCE8E857560C43FAD96BD0808BA169F3829B1452CB93D985495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:41.882{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C773573AFE4C66A1E79498ED226891C,SHA256=E275F319BC3BBC933DAF2AA04CE6D3FBC3BBF3438EF2B0C9A33D0550ACF8C833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:41.528{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6B8C6CC210B1B8D3C7C6127C302DD2,SHA256=95AC08174E506CE26F9B791773D23886FC8EAA01FC0DE2D12D5D930419703F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:42.882{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4339EDEA1923E38569322FFCE50C27D,SHA256=5BF4DD7FD2B448D9019648A7F16B70DB7FBD679C6A2228DFC351C9D442CF30E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:42.690{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECCCA56BD8ADF331797B74C1DF02CDC4,SHA256=75B1685B4F328DC1F48ABAC53B43F4C62C42D4A67EDA8E7D0A5332CFB395C085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:42.543{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC895F501467D891822B4C0FCBFFEA5,SHA256=22B246E09E282D323C1B8D9E6DAC0BBE06910D197FE273DB8CEA0D1A60708260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:43.898{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3675E8A5A7C7F99F7D6CA4379FFA1D1A,SHA256=76E228D8C06469B7F5BE80244675153E890EF4A0364D595A03A5E93450A006F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:43.543{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD285011BD382E94EDE9AA8101358CF,SHA256=CB1F95AE9B817B44E4A75C083E830EC6DA74F8A10BDD0B815138F57789A04012,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:41.959{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000050266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.578{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64653-false10.0.1.12-8000- 354300x800000000000000050265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:40.146{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-20264-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:44.898{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CB162B847F3CC58BEC6F53F97FB8CF,SHA256=07B9DB64F82D4ED6A8CED270B034CDF60F4ED7C0591B027A7D73F4D1141B6995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:44.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447141F22ACD17C73D5A053BF567E5C5,SHA256=3D8A13A91FDB2C4EEDDB8A9EB7A02D99CAF9172F33839D25BDD985E3FC51D136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:45.929{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAF604356530BA47F7DFE16B539ADD3,SHA256=DEE30AC8DB78346845D6B6FB2510CBB990ECF0146DD42A7FD552D78F02AE261E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:42.286{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-23024-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:45.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA85BEC66B5E1D15B0BA2B65EAD162CF,SHA256=B33C186B9E2701024CE52234BE9B651D006026AD5C97BF7FAE0794AE3C895611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:45.008{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98BD25DDF816B19D539803476F0A9466,SHA256=7FEF1C348E7DD4911E297DA0ADDABDF4B5AD6E0D7E67A17EB01885538764D142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:46.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7437A1E3AE557665E41D8AB0F1A29E,SHA256=19B56FB1B3762B0D746E937A6180C2D7805E243FDF21CACD8820C5570004946D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:44.629{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-27446-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:47.607{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B5C426700883ABD4D1304F1CB5BE54,SHA256=8FF3FCE4CC9504791223AC7ACA0245A8B47F314608D5B8BF75D60BDBF2CA8F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:47.007{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FDB3B552647D92628AE2D79911C0F,SHA256=083819C327703C36FE3C0FDC25AE35286F49F336C0BAD4E58F846290C50EFADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:47.126{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=838F00630598A51BEFBF55C58342734D,SHA256=2D3B4CAF37E2703ABF9E51E85D6A3475BF08A8D1C7D170AF0C04B96965FA6AF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:46.592{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64654-false10.0.1.12-8000- 23542300x800000000000000050276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:48.626{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90C0CA6B3242FF8B5D8F8FB760274C1,SHA256=E2BEF05E58DA9D4C69DAFB19A625234262727092E954888C4DBEF12F2A0175CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:48.054{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C490E5960A23F2D140BEDCDF1A8410,SHA256=9E5087A983445706549EA9E203C5257BB4CD6CDCB0A8381EB03537F92F59F5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:46.940{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-32946-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.642{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4FAF3A85BF094EE296A60532542BE8,SHA256=42D91E1814ACFABFD596051AC75AE265D7B089D4B714B385E58BCBBD32D003FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:47.897{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:49.116{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1DFD6A11E5C243B361EEB85F2204D3,SHA256=13B5A8EA6C7F51937FB20EAC8A653FF8058673F1D12EE7A42183FCEFCC2A0C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676B2BD629FA5C5A2EC23A494E2FC224,SHA256=E1BF61B32D9C41D35BB43E01E89717A6948CA0272CA94EE184F526D11AF38A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:50.656{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5869597C9F921567EE64D96B63878C3,SHA256=7CC3B2889B36F2DD0767FE6B202A2A621B68047FF90D064646292194F525EC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:50.132{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E749E5F37912555C41CF42C73633C39,SHA256=C4ED21638E20F6AF57969C9E96353D34780A369B6D0E28090993CCDAF1A10ACB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000050287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:06:50.541{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000050286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:06:50.541{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Config SourceDWORD (0x00000001) 13241300x800000000000000050285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:06:50.541{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9A7B1CBE-334F-49C9-89E1-93C4FD220585\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9A7B1CBE-334F-49C9-89E1-93C4FD220585.XML 23542300x800000000000000050284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:50.257{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RFa113f6.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:50.057{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:50.057{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:50.057{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.989{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64656-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000050294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.989{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64656-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000050293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:51.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB7766A9B635CECEC0BAD165CECB1D7,SHA256=EEA2EB17A1C24212CD8A4E6FCDE49EE136044A8D0C69EB00D127546C7B87D8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036279Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:51.164{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99938244204ABC40289FF1F530E28A37,SHA256=C28FA74B4317BE03039ABAEB0D395C2E3D6BC845D77838F0B4AD443DAF23221A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.976{82A15F94-3493-6112-0D00-00000000E501}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64655-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 354300x800000000000000050291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.976{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64655-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local135epmap 23542300x800000000000000050290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:51.571{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8026248B8E98F0E3B9D4930FEB4BDA80,SHA256=F8DE998E0085B656D5B827E22FC4BB24233A708430E09CE85B0AC15231AD7F67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.561{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-37579-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.997{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64657-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000050297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:49.997{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64657-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 23542300x800000000000000050296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.686{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D664461B2B6FEBBF5D3C52D14F77994,SHA256=189AB8278A45866E54431518956E323581AF89F887DD4DD95C596B25DEE00D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036280Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:52.195{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55923B81758BFBDAC326E4CB7B88A381,SHA256=866955C5FC1845D597D455E00C316806BE3D9D383D67BD8C9DC934EAD32C9803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:53.687{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45F35E68CFC0E31F8439531DE557E16,SHA256=C3A4437E24120872A069F51AC9D94014E1A7C508AA1F6D27879F76992D4BB5B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036281Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:53.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A789AF7F5A925FE59E324E5995E999B5,SHA256=8B34A61C5322F414D5C46B9C6F2437F0B4CA50DDDF67018094E83EA7765B1B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:53.640{82A15F94-3491-6112-0B00-00000000E501}6321008C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000050310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:53.078{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64661-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000050309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:53.078{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64661-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000050308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.974{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local64660-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000050307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.974{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64660-false10.0.1.14win-dc-15.attackrange.local389ldap 354300x800000000000000050306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.966{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64659-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000050305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.966{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64659-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local389ldap 354300x800000000000000050304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:52.588{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64658-false10.0.1.12-8000- 354300x800000000000000050303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:51.996{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-43294-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:54.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11711E9FF5C8F38F334CEC330828BFE8,SHA256=1774CC75009FA9AACA41E7A008FE2312DD1458C18185572DC46B8FD5598971D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036282Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:54.242{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6F2601737AA9B4E2222F200A5617D8,SHA256=72B430BE9325BD78BB361BACE4D966B1BF2989457183A0CFC731A8897CB4FC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:54.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58AE6281360C042740CAF8897691DB39,SHA256=DFF8490B8B939BC851A434D13E0CA742196EE10D7C21AEF1E870CDB75EE01E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.726{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB5F20B575AFB0BE5F7B2E37A2EE59C,SHA256=FCC321ECCC41D9A6BDAD3AE3025167136DE5B9527231B31716301EF6B03424C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036283Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:55.257{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB409627C7B2EF969D4A122E46BD1305,SHA256=0831507FF9EEB77D28B6555399F2B8507EEC5FDA76A9A7EC455D983DCDD2F954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DCF-6112-B108-00000000E501}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5DCF-6112-B108-00000000E501}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.389{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DCF-6112-B108-00000000E501}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:55.390{82A15F94-5DCF-6112-B108-00000000E501}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:54.365{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-47037-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.741{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3843B74F275D7F7F5D576DCFE630F2,SHA256=6B1AECF963DB6EC7150C80A6F3EBEE5808EEDDFA0B6AB9B1C32C1A54132EE9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036285Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:56.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D169E83D81EF88299F293B0A5B72DFDB,SHA256=020647B5F53C6B6668F30C45109EFA3BE404BA83919979A5E530EF174EA79C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD0-6112-B308-00000000E501}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5DD0-6112-B308-00000000E501}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.672{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD0-6112-B308-00000000E501}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.673{82A15F94-5DD0-6112-B308-00000000E501}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.407{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB11C213DCBF0B08FC74680C0CC2B01E,SHA256=34614064DE5E4F08C3069F79F2D033FAC301399B7B84F93AB9E05741295100DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.157{82A15F94-5DD0-6112-B208-00000000E501}50044520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.009{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD0-6112-B208-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.007{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.007{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.007{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.006{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.006{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5DD0-6112-B208-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.005{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD0-6112-B208-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:56.005{82A15F94-5DD0-6112-B208-00000000E501}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036284Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:53.850{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000050358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.952{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD1-6112-B508-00000000E501}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.949{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.948{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.948{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.948{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.947{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5DD1-6112-B508-00000000E501}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.947{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD1-6112-B508-00000000E501}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.946{82A15F94-5DD1-6112-B508-00000000E501}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000050350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.798{82A15F94-5DD1-6112-B408-00000000E501}6744828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.777{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98481E53D81C26911EBE15BE750A64C5,SHA256=CF42B8D834E5FDEE64C3CDA73403262E1BD4EF0AB850E6A94139181B32A1FD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036286Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:57.398{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2653ACAB7F0D71F934F9A6B5652225,SHA256=658F2CBEEDF913667F88F9A55C33189285E06E5C3334EAE164399296917DA0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.673{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCA714E9BA26FB43C5027D1D86309ED,SHA256=9817E1D36469C4FFA1733C7F8503A8598A7EE416B3F6D372DBE036A33A3330A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD1-6112-B408-00000000E501}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5DD1-6112-B408-00000000E501}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.440{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD1-6112-B408-00000000E501}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.441{82A15F94-5DD1-6112-B408-00000000E501}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.954{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=167203CB35BA459E0ACFF27C1FD93667,SHA256=B6045E316A026F9D705B449B07250310295D77C95D74D1FCEE93CF489A985BED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:57.013{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-53358-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.785{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD3B04F152F72A6A77CC0EA27A6B87D,SHA256=03A914D0383AFFD89FED66B41A8349FEFE717111B9E6B82AC79EB4EF9903E43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036287Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:58.414{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55AAB223E5BF40C1D7057987BF120C5,SHA256=F85C181E027289860F9FB0B3C5DB1FFDB61F91229E30600D008361C5A45F5258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.769{82A15F94-5DD2-6112-B608-00000000E501}432508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD2-6112-B608-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5DD2-6112-B608-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.623{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD2-6112-B608-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.624{82A15F94-5DD2-6112-B608-00000000E501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000050359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.183{82A15F94-5DD1-6112-B508-00000000E501}14485692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.786{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A39180F30380B4B96CD57ED06E9550,SHA256=C3605CA8AC5EF8BAD4B1E6ED7123D31BEA5721DC885B1884F11B44597B4E7D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036288Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:59.429{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48EC3D38EE7A69C32C16557A127288E,SHA256=6B628FD821D833173F2720A08FE05A655486321A9FD79807BFED0107634A0824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.305{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5DD3-6112-B708-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.303{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.303{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.303{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.303{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.302{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5DD3-6112-B708-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.302{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5DD3-6112-B708-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.301{82A15F94-5DD3-6112-B708-00000000E501}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:58.572{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64662-false10.0.1.12-8000- 23542300x800000000000000050382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:00.853{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866F584145AB3BA9F96ABCAE5E8BE142,SHA256=72832A9B4BB6C8325FFD1D542BF13E7C0198029F1D6B1B00B9EA72032A5D1E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036289Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:00.445{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5267A2EEC7FCBEDD0EDB44B0145F5B,SHA256=DC9DF24EB5F941581C2FDE221C52C001C61E016941D8F1FD8B5F99575DE86B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:00.323{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1CA4DDC14241888099A4A5FDAB9F80,SHA256=17C21A618BAFEC68B5022C7C388BA66B0D1280D8ED04CD6F9C13D0292333388F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:06:59.494{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-57500-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 10341000x800000000000000050385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:01.900{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:01.868{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3018E42E6F1B61FF865E33D14E93DDF7,SHA256=D3C86799913F039EE7E91AB4C06EA51482FB61AF6B078B3E26788721759151ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036291Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:01.460{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A7590BEF18E9E8843310A126A8FA13,SHA256=D8D7275F6C2B0344E63864F1F3B7C71B6E9E7777BD3543F9FF69D85C622983CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036290Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:06:59.022{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:02.886{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1138FA0A5D200D3222F0DF338C2BE446,SHA256=B5E4F7AEFFC1E5AAF2EC61E2BB2E27160F13337FABAD981D7D90188126F89088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036292Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:02.494{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9BF86CC0A629901085CC7FEF6B69EB,SHA256=5720F5FC6ADDC0201CC78507A325C30D5AC8DA849892631B728B399F4DDA3D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:02.240{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B9D7F78FF473E01FBFF813B919F8D44B,SHA256=6B7D41E8FF522FAEE376BBAFEAD4F747405773B44E899A58C04DC2716E138749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:02.102{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=849EA25971FAE8B13A6CFE5C1550277D,SHA256=680640454986AF0965656B570F8ACF8630787BBDBED7B5D8BFF09D587369D95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:03.907{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0832DCA84EAE1F08C8F4978D755277F0,SHA256=F9DB7C1216FB2D25808CA99B4CEA872D6A54178C41A4FC4B0A4767A4A16CE91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036293Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:03.553{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12756B6311B117D813CE02A6D23B66,SHA256=84F28406ACE7B602A3D117F4C2D56DF7FF3C238B79705D62B79B9F8D1E126DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:04.953{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49933BB3094E8D2ECD0116BFA6A7D448,SHA256=AFF60CCD44B04A590546EEF664D959CF2A9440CCBF3E5EF1EEDEC97147106729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036295Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:04.556{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52211030AE11AC437B44B4066B446A47,SHA256=D9B8517D508D55DFDCDE446111D96F0046E02AF74FCC3C5B4125EB8D9E3E584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:04.369{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7991546EFDCD468F06F1F99344A547F8,SHA256=CA1E90099C5B41E228E49C9088959350E3AEA18DCE8E2B4A6DC76C573406200F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036294Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:04.321{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:05.968{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35DE50B61CCF7EA2F587E9CEE746BE2,SHA256=5D0169E600FFCEEE86CB944A32FC19D16352D5C071F9F35B718D25C66C1899E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036296Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:05.587{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE70CE4C8DF4337FD3D2E9B6DB6D09,SHA256=5CDA907550610CA350FC744E492F0878A2E532AC2E5581EFE3B1D386D132E453,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:01.866{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-3340-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:06.983{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924068BCAAFF5E9C14C4CE80B7ADED34,SHA256=8564E367A75745F094592227B78B580EB6B2E7D54C5799BA5E0970F0E6CC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036299Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:06.696{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4333AE8FF80C6AFCF0D1E23D04FF296C,SHA256=7E2EA4756B7A74EBAC2FC9D36DA4C93DA11AD350A667C90E6842365BB793F364,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036298Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:04.914{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000036297Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:04.070{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036300Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:07.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04E514694E1BAB10FE1BFD1D2444FA8,SHA256=1522099BC22C681B8433A3AFDCFDA1820D4849B72CB66F11230DA816565CDC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:07.036{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75091B284D0A3ECE521CA08AE5C4E688,SHA256=8E8D5F989CE9395ED7DFC1AB6FF3994D556D0326F76D5B2B7AE6649DA58AC0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036301Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:08.806{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC3321854DF15EEC20CF27637D7B14D,SHA256=A7EB81FFD581822E301A9C23746A7A37170A5B189DF25972122B0D4F99A30144,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:04.602{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-8603-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:04.571{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64663-false10.0.1.12-8000- 23542300x800000000000000050397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:08.004{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4525E0379527C4E4C2E8D0114F21173,SHA256=AA583CCF9D67C862FF5557F2330B11225CBBFCE270FE44E89E1507BEF216D934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036302Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:09.856{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884EB24211F934AEC06186B961B407C,SHA256=97C8A6618386E5EA18C5694437F07EA374AB2F124B8E735BC88A0BDE85CEC4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:09.654{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3862992ACC3F6BE292DA17E941DBAEC6,SHA256=986C81AF902FEBC087BB8056CC8861A4E540DB13F15A7A210AD6DCAC163233E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:09.019{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1313FE7A4E1C4A146D6C0C5D874E337E,SHA256=47B37890512EEB377F6998EDB509E8199DFCA42C98C37D746DB3E02B91491001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036303Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:10.871{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6DB9FE5653BE155DB0E03C27E9BE47,SHA256=4FC582DDD55F78F9691231939DA3B6EA48B859AE2D54F0F2CA1D784F0058445A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:07.076{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-15018-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:10.023{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C85E2F676CB105D5A1E4D818FF4770C,SHA256=6EB819A789CAEE7B830B57F878EC7AC3AF3A32B7DDCFBBEDA90CA64001F3656D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036304Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:11.887{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ABC69265856E3C3F783DC56DD2AB1D,SHA256=1E63419D7225BC449152C3CA0CEEA232C2ED86D8CD169EA006DBAF7C10DED622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:11.054{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1E6561601404AD0B4EEDB5F9F67198,SHA256=16F92EA5281FABC8F8AE0294E9B15204D1699637B56A6C477104432A01F84E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036306Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:12.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F264E2F0B8AABDD1C8E59CF89CB89E,SHA256=32EDDCE935813ECB1869A077B0532935E053579432B0985855CCADB3FFCB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:12.084{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E690EA0B9A3AF82FAF8093AFE7AE8A34,SHA256=184CB181F91FAFE4EEC66BD3590066AE94DFEDB6C98C0ED6539A6848EDC3D032,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:09.446{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-18692-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000036305Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:10.870{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:12.003{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B8CC5A051394E821CD80FFE7016D4B8,SHA256=7C04E398ADC5DA150DD2D6D4B1B2D06B1E3F682E894A2BCDC000534EBAA5FFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036320Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.918{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A165712BD74376BCF57D5E004B493848,SHA256=50E57A619FDA4B28C0A843C8DD229498E328273DAC6A26ECEE2F0081129DE3A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:10.572{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64664-false10.0.1.12-8000- 23542300x800000000000000050408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:13.152{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45895A7D51E8104C63E5ED7BE9EAC84,SHA256=3193B246576926D88CC02506326449E87CCAEC4817F123ED7D0C15C7A30B371F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036319Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036318Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036317Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036316Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036315Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE1-6112-2107-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036314Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036313Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036312Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036311Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036310Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036309Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5DE1-6112-2107-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036308Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.684{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE1-6112-2107-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036307Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:13.685{82855F7C-5DE1-6112-2107-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036350Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.934{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2B3EA6941C0EC4B3F91D1BF42CB90FF1,SHA256=0E09B3AA88EE3B71EC593D4A96901C57CD666D84B3FCD050798374B02B01FF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:14.167{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB62A4B4A7DEC256B4C90103263F215,SHA256=AF02D679DABDF753986140B5410B12C688CA39AF2FA417E6EE2D0FD976072933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036349Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C9C4D9E0BEAD1250113013316655D0,SHA256=8FAFF53E95D3610E04474175D358A04BD74E0321FBF6383BBEDFF6C465FF1730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036348Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.903{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1C5477C43C26E138D78DB31F1A29B79,SHA256=05E775C74E89220A3DC975E11985E9A0A0DC9D49156E5AF09CC1A25B90DE0A2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036347Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE2-6112-2307-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036346Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036345Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036344Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036343Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036342Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036341Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036340Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036339Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036338Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036337Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DE2-6112-2307-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036336Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.856{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE2-6112-2307-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036335Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.857{82855F7C-5DE2-6112-2307-00000000E601}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036334Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.590{82855F7C-5DE2-6112-2207-00000000E601}3324884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036333Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE2-6112-2207-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036332Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036331Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036330Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036329Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036328Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036327Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036326Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036325Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036324Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036323Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5DE2-6112-2207-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036322Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE2-6112-2207-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036321Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:14.356{82855F7C-5DE2-6112-2207-00000000E601}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036364Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE3-6112-2407-00000000E601}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036363Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036362Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036361Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036360Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036359Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036358Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036357Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036356Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036355Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036354Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DE3-6112-2407-00000000E601}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036353Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE3-6112-2407-00000000E601}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036352Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.934{82855F7C-5DE3-6112-2407-00000000E601}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036351Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.153{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68943652260850491F56155ADBD757A3,SHA256=B804888021044C2FAF92C07749CBA74C9BAD5549F8841DB691E42B4D671CE48E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:11.782{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-22866-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:15.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D242B2BCEF8C26679A1748003EFAF7,SHA256=AD40D94F8B50BEC45B351F785399E1DB316292F003065833E892E80EEC03B408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036381Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C9C4D9E0BEAD1250113013316655D0,SHA256=8FAFF53E95D3610E04474175D358A04BD74E0321FBF6383BBEDFF6C465FF1730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036380Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.778{82855F7C-5DE4-6112-2507-00000000E601}19643852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036379Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE4-6112-2507-00000000E601}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036378Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036377Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036376Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036375Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036374Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036373Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036372Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036371Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036370Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036369Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5DE4-6112-2507-00000000E601}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036368Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE4-6112-2507-00000000E601}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036367Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.606{82855F7C-5DE4-6112-2507-00000000E601}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036366Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.090{82855F7C-5DE3-6112-2407-00000000E601}30841568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036365Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:16.012{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969F3B9F444BA209E271BC6ECAA94911,SHA256=AF0FD013FB620693E53B85329151727DA719713684AF413DEE1FA80FEEB886C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:16.200{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE0B8CB25AD5E2E41BCB503791F5186,SHA256=99330AABBE2860BCED0011248F9B8B21B2680F63E176A7B1E8E2BD0985FF15BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:16.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F77A04821C115F164361D3721DDD023,SHA256=EC243FE5110F784EAB873649ECD6038D8F35189A2A0387A7894CBD09A6325561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:17.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D0597B627EDF651A3B84FD299B1203,SHA256=D4C75DE1FC9FD212AFEEFAE63FE5DAF42714278F139C379944E521024C9D06BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036409Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE5-6112-2707-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036408Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036407Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036406Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036405Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036404Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036403Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036402Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036401Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036400Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036399Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DE5-6112-2707-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036398Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.949{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE5-6112-2707-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036397Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.950{82855F7C-5DE5-6112-2707-00000000E601}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036396Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:15.933{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036395Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5DE5-6112-2607-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036394Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036393Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036392Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036391Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036390Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036389Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036388Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036387Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036386Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036385Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5DE5-6112-2607-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036384Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5DE5-6112-2607-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036383Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.278{82855F7C-5DE5-6112-2607-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036382Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:17.028{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E6A70E6163BCDDC06F81C24101FB41,SHA256=C48B953366CE9F43D87A2EA8E671C64E8209978301073CB2F9135E06D96A624C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:18.717{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:18.680{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000050419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:18.680{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000050418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:07:18.680{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.25.176441007C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:07:18.680{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.25.176441007C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000050416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:18.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2254833651309A5868E72E09B7B6EE64,SHA256=B2197D282B00903A0070E9CAC42607E4BB5498AE20B50F0CFEB40AD1A87E3EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036412Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:18.324{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE61F652499289810DBEB35C3AB043D,SHA256=4833D31DE9B1507179CDB2E9E58DBAF87041F9CB1356661B896C5FF6037AFD01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036411Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:18.137{82855F7C-5DE5-6112-2707-00000000E601}38082208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036410Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:18.059{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AF362835D2DBDE6CF0DFE152A01AA0,SHA256=708AEDA6224E78503FE2B884E15FD485356505B35E76BD618798BED52A9D8BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036413Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:19.278{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A23244123DBEA4A04C05575D239B3,SHA256=1C8235AD89CDB6D6725DE5A79866FF1B691463584E00D9C2653F497AA61D5727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:19.779{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1312EE049A62AF582B41E14453B2FE06,SHA256=F98D1B4B0155BAE396C1695225B7F0DF35C1FB5B0F7A5D8E50616C144CC39231,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:17.184{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-34111-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:16.567{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64665-false10.0.1.12-8000- 23542300x800000000000000050422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:19.248{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062A99ECFEC1A4874B379628EFD41F66,SHA256=6C623B9403666BBAD3693FDB6100A103262F52E97629ED6DA5B4E82F59DE6730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036414Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:20.340{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1150456660D2E8CAA77276108F505861,SHA256=25610E51D62BAFA4306341A77A3E64E104036B5074A9BBB2DEC8C4A82BA2BCEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:20.616{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:20.263{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDAB3A966D5100107DF2F43E6E9B38D,SHA256=27795F366602AF5C29BC95E4566BE0F2B33FB9619A463CD467843C5AF9B47A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:21.278{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040A551C912504A6DA9F2D0E94702A12,SHA256=4440843E4EADDC17AE0066ACE81BDC5E7EC44F73D0D85716A59617C147B7E006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036415Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:21.340{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D463B0C92D34AA0952B62868EC07C0A4,SHA256=3A4F4555B9812C15820FA9E450C1D0B0753D5326ABD3AB0C1616055A675B2BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:19.663{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-41034-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:22.298{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2600CCEC7B3ECE03BDFE329C7C05F4A,SHA256=F735DF27B517D0884F6DD520D51A21F74371DA735FCBE470A006D4A5D8842468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036416Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:22.356{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0D64EC3342ED4B69C52011B62CB1FA,SHA256=3715C705644BAB0ACA1A0377CA283704B6CD6CD1257E6021889E94FF34191534,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036418Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:21.948{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036417Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:23.356{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E63C14833489C2F43699EE1F1095E3A,SHA256=6D0EDF1ADF88C0B95CD66E052157EF6057DAFFFA0B3B30CE2F1350040A28AA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:23.314{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E138A2618F8E46F476E69617E95F88,SHA256=F842666CC39B84673B0DB0C65B177A4457EE80955A618093D66856AD9EAD0AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036419Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:24.387{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6C57E3D717A63A043FF813878185F9,SHA256=0BCD52BAAA8C8C553C2F4508E1B11BE094144429D89A1712CAA0625E05C99CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:21.695{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64666-false10.0.1.12-8000- 23542300x800000000000000050432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:24.345{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EF211AA08260503FEA589B1824E599,SHA256=19C1FF46D3E712B3E00798DA72DC089F336B703FBA72D377F64CFBF1704F3142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:25.360{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165129CB23A3B4D1CE65F80E0E64F50E,SHA256=8B97B2C33C0AD95859D87EABA94E6584DB6617AD376EEE92C5A48BE2E9019E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036420Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:25.449{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B568BE44688911FCBEBA82654392FD,SHA256=7BF5B90268B16396EB348195A7094B0C90B100F8FE837F201432B1B213861BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:25.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBC46093DD1BF4BF2912B2C79E2E0F6,SHA256=E2E97A8EBC849F0A605DCBC22C834665A60A6FB911C0AE156CC3A9D6F6251D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:25.045{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64326FDB52D89BFD1423B64B5C321DDC,SHA256=AF547EF758E628F4A54D4FB0C5D9A071D118E12AAA9DECA547A54EE7D08AD370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:26.375{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70200F595534BC067DC3A0ED068460C0,SHA256=FE36211C83302A53E44007EE42B08C2DE0C94A14FAD74152C4FA817CD82C6310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036421Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:26.481{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C1103236565B8B0C805B064DB24ACD,SHA256=FBB49C638B17160CF0599A3A5469E5B89D8B8915E08E4F51E0D70FD8DB6B145A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:24.937{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-50918-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:27.413{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBC46093DD1BF4BF2912B2C79E2E0F6,SHA256=E2E97A8EBC849F0A605DCBC22C834665A60A6FB911C0AE156CC3A9D6F6251D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:27.375{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36FD170ED7E3A80F20C9AA0286C3339,SHA256=414F657FFBB618208F9E9C7BB5E5628A0B25BABFA83024CA848DC94CF2F8F799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036422Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:27.496{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C113EFB5A4C67019B34F69481CF278B1,SHA256=CF4A192E927383BD33ECB4361B52AACF00C05704ECB91FB341126223530BD276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036423Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:28.512{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3C2B1F6EB3280FEE2279FB61736E5E,SHA256=7B10D67AFA6A85DC27DF11A94F23FC139F94DE3ED813CE7E514D540DBD165935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:28.396{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DA775A0372685E9C76E5BDA756EF26,SHA256=36D782F94777CFE62BDE313F76D3D60DD13FD33EF4909CE9516A8D9259027764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036424Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:29.517{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA507BD3DA43948E967A2A81938E9787,SHA256=E8885E0C954042CC47879EF2982D819FD0150F660372964FAF2C483A9451272C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:27.628{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64667-false10.0.1.12-8000- 23542300x800000000000000050442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:29.411{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2715C0FEF69A0DC4F28DB0980DEF90AE,SHA256=566B108016094E1E8E46A46CD9F04E25E4B9B29FFF4E9922D27ED06800C13535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:30.759{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:30.412{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7F9BB27C4D8B927D374E59E934D270,SHA256=73DCF87F4E23AFB632DCD5D37C7A17EA729ED6E17B3EF388CFB31736C99B6709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036426Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:30.579{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2C0BD0EE3D0433AC941B89CDF667DF,SHA256=0E5D4985535A28E57098F3C01609AB06FC47E26AA80CB0576F67A93708A50FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036425Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:27.902{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000050447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:28.879{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-58272-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:31.412{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4106615D6401A381BA086E02A2786265,SHA256=84F17C675DEF5BDF270B2BA6766315E40804C53F053647125812C53AFCE08075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036427Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:31.610{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA988D24F2625FD8504C252445A0A893,SHA256=BD5874FDE0D883124094A647A04773F5AE23046765F9489E2659050BBE960A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036428Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:32.626{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0ED4CBECCA0F66AAC71FDA551F3F0C,SHA256=1623CFD90B69B7EAD876901DCD052A78C9C585ABE9EB128D0827A5B9E5657045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:32.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACAB4C0A248FCC726B17311737179AEA,SHA256=F8273C542A7E9731FDFC1B30DF3C6A28FF0D20933199AF97B760C44351416621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:32.544{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33B123EA25C2F5C5E6F14F5DC8D751A,SHA256=589BE1A169CC3B4255AABCE6F64A76EF5065558C5A7B116316760B016A4845ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:32.412{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FFD3A78890293C98322D97186802CD,SHA256=8B4A611F7B261B1283528D7A7E21705CAC29B9814E83415A23D6BD05F6E1BABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036429Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:33.642{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132D3B0543D4CEF630C81907585DFB81,SHA256=C5A142226ACF9A81E848FC8A8BB6A84E8D8BB2DAB41880478A641A1F30314A6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:31.578{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64668-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000050452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:31.578{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64668-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000050451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:33.443{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857DB3A2016769956E6AEF393EA28BCC,SHA256=18FAFB6C71901011EB2DE42005DA2097DA20788DC3DDE19C74D6BE82EF6D1964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036430Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:34.689{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051D3E985D7630C594D1FD86408197FF,SHA256=8266E987CD95D40FD4D1314D1C2552F39E3E48358B7E437F5F4E6B4E4D9879FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:34.474{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24415D00F59272C840F1B4E607805B85,SHA256=12029CEEC00884D4AB5FEA5FC2C1781D0CDB472C56020D7A19507299721DBA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:34.027{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036432Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:35.720{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD84AD9F2C43F117AFF2344124C4C6,SHA256=C4B2A5646AA28948FD88C2C5124235BB693E27B5830202348BBA9FE870FF82C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:33.523{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64670-false10.0.1.12-8000- 354300x800000000000000050457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:33.445{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64669-false10.0.1.12-8089- 23542300x800000000000000050456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:35.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4236D46C94BBDD9DCE8A61B118E81297,SHA256=35E04C2D8DE6DD4FA2F653DBC5907BF76A1B65513678E9D80DFC211225217505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036431Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:33.875{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036433Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:36.767{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01997D5736AA92E67B48CBC7CC9B34C7,SHA256=762319E44229A8C5AFEAA6F04A36A8C8A0316AA26784BB4042BC5FD575529513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:36.542{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA656F32DC3CEF0DAC356A9DDF15830,SHA256=6129E36CBB09BF43F3977E297C140A98FF1A188D1F19A0D99DDF9BCFADFC533D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036434Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:37.845{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A60E949E99F1F32659DE6DED476E4E7,SHA256=35CE31F89A1CC022D11523FD6BD7364A32B20F7B731CE30F0E889AC7DF508B48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:34.356{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-9809-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:37.573{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92E57C1B473D5CA8AA389D99F9D3BC,SHA256=41BCF3CC44D373064525AEE0C4C3A2D3310E7DE24B5AFFFAFCF4A0EAC347A3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036435Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:38.860{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C479E03C8D34CE11331A52A838979E7,SHA256=40C7352C4A8F53936A6BE506D62C9951A4CA01C78CB860C1F070B8E964FC099B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:38.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E34D24271035E8084714A16BD43B3F1,SHA256=4C7255786CEC1EDA9F21917C4FDA2892D2991416C720BABA1B0C04E9DA4C84B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:38.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8215229452B7F81AAA67BC9AA98120EE,SHA256=393874125342E5B0DBFB56372B5F4337FC87CEC06095510ECE275CE981B8A935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:38.042{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACAB4C0A248FCC726B17311737179AEA,SHA256=F8273C542A7E9731FDFC1B30DF3C6A28FF0D20933199AF97B760C44351416621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036436Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:39.907{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0968DCD9159680A3CD2E4FDC030C2AE5,SHA256=3E42110787D7277352FE2F3A1EFD2EA9426B1C856B184B4BDE603393DE2951FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:39.610{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A307504D534F68A87A946743042975,SHA256=E617DEB7DFF10D2308873AF618D3811E8B89FD17A2CEA90EBD53E356CE62E556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:40.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1881EBCB477AD020B87BB9D049A8353,SHA256=0DCF0DCCAD1AB0485BBAA6C35D394AC15D857FE2AB2950F1469AE872D50F6EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036437Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:40.954{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CC1748FFC90B14DCC500C080214446,SHA256=FC0D380314A22D69D78467C20FC559CDEDF770E19012F249D4A99388FC40B346,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:39.765{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-19976-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:39.506{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64671-false10.0.1.12-8000- 23542300x800000000000000050467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:41.640{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D38F703E3F5E28E509C155FACC8478,SHA256=7A0942900EDCA8D9BC38A23565708214708E34C8E3DD88A64A7CA6BB6E862C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036438Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:39.844{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:42.671{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48ADFDE94F78E64CD5C87FC2CE90745,SHA256=C24EF1A2A043462BF78EF60B397D060FC35886AE068288C438FD62041883474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036439Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:42.017{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F82A120B03393DAA9E5C7BDF8372EF,SHA256=960384A81704CA0C74EB923ECBF66B8DF61B1A59503A89EDADD28C1BD03896C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:43.692{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE44B332721A2D556A4FB7F836A0DAF,SHA256=EECCCC262E139551905DD052A4F7800B804516F9FB63AEFD2F29BD65D12AF0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036440Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:43.032{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A316E50B26C9BACBFBAB44226F1AB995,SHA256=F1BEC06421E59E1E5C818FD4CDB12936DF07A17607180E9B91183762236CD707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:43.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD15BE851390514C7AD7EAA23A56EB12,SHA256=4D978B34E8D5C870F2618089C571527F5EDFA1354C412E75AB332049C0C25F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:43.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8215229452B7F81AAA67BC9AA98120EE,SHA256=393874125342E5B0DBFB56372B5F4337FC87CEC06095510ECE275CE981B8A935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:44.707{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B261C62CC8D2A40AF6C1E61B01012418,SHA256=7D8D13EC4F72A63F1E30917B759A2788160E6A3B61FC94AB5449F3B9B316347F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036441Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:44.048{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F522849C0A3C117B6EA41DB92F21EDB,SHA256=DC7814534B5547EFE803672C752B0856EAEE43CC2F12CC825FCC3C477FDF69CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:45.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D405B74CF167E713DDBFAAA044B49BC5,SHA256=BB03C6364A30B52BE37AA8686318E3635DDEA71C67670C9ED70D87993633F425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036442Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:45.064{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A13085E724F1C94AB2FC6E4C935A2DB,SHA256=948C67E6625F6738218E07CA524C1C8BD8D919F4C1314D3B90319914D31EB419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:46.769{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E39F1F3C054CD49908CB1048CF43CD,SHA256=98617CEC95E8C1257AA9DA36C8A4EAA80FDB91A4947E839CA9CF954F4A5B1363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036443Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:46.079{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16789EFE88AC1C234A715E27F53C74C5,SHA256=7FCF3AF184BF53141BC6EFF0C5AE5220B16B733E9F4DD07618095B17A203E8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:47.786{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F0B6CD025E2EC4E4D86962A1C69B3C,SHA256=45BC28C903590C85D8A61C2421159E6526C340FD965B0B5E3F5BBACD75AC25A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036445Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:45.859{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036444Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:47.110{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741EA2D94EFA72DC3585D3ADB1059094,SHA256=68BF9AA5B7C1968A6BD4D3C3BC04640BFF3AF5A7DBB00E7DA45598FCB27CB990,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:45.190{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-30207-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:44.672{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64672-false10.0.1.12-8000- 23542300x800000000000000050482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:48.867{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C616062394D61D12061A1A69EE346A,SHA256=6CBE4F7EAD02A28DE0935CA7B2330CA35F460C4424A7A441BEC17F73AC136E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:48.867{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD15BE851390514C7AD7EAA23A56EB12,SHA256=4D978B34E8D5C870F2618089C571527F5EDFA1354C412E75AB332049C0C25F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:48.804{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3CD977957AF92D2150EA87AF051967,SHA256=5114DC60808F464CAA17FDEBA94C618A2646C2C4AA4E7AB2E880DB9551F3066F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036446Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:48.142{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A05AA7093F52556A543F2CEF873B477,SHA256=B2DFB1AC975312D772F64A37F741034E9163AD996DD3B49437B37BC4D37B10DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:49.819{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2BAAC3351319A734577082D6FCC6C2,SHA256=B2854E8F56E64CB9A7ED3935C5986482B9F842182795318733C743A03340257B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036447Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:49.173{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232FC8BF838E35D4D56A21303011A46,SHA256=CF361543E1B4D219F4D582815D48EFF0BE0921582E8CC1FC44EC03174C470FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:50.834{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F9FE7A7391521022C77928879215A7,SHA256=12F92E036BB2078EBEB57F11A28D554CB9D526B476CA402097918336096FD9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036448Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:50.204{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C960D326FCF7B4D5E8263368FB0ACE2A,SHA256=70E39BFB511708B6953720CE1CC85E8C28130E4B7EF313D8131D298DB84D445C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:51.849{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025A6EE8EA03819F17518DC4E8379798,SHA256=C3BF17A5194DE3466A89B6C3C4045D1EDA81D302DC1B5E337D28FDEAE3BF34CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036449Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:51.235{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE30C2102FB66FCD8A4F3C22B4C308B1,SHA256=509B6262CDC64B9217D64E984975AD91D587D204691D53B13FAEE9B60B40B823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:52.863{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27840F19025A02DBC67002A63D050DA,SHA256=F2FA3E0B784E58D3007286F577811589133F113957F8D1ACB6017441C31302AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036450Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:52.329{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3751F137796CC5D36D8D4396EAFF504A,SHA256=18C214536D22BB1733A4057FF873640580567B2B8441E1FE2E3C5246E37E4877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:53.864{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41F357CED8344871CAD1146F5EA6FA0,SHA256=5AD5E05359B6BF555C9E14D3FFAB53047D5788B3CFC8CD63C8768D662E2EE8ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036452Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:51.843{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036451Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:53.391{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14CE922FE251F424AA842EFDE60F9F2,SHA256=6910645A90277E31332EE342F3E9419FF8223819C1804D1F44FE118E3D86ABF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:50.436{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64673-false10.0.1.12-8000- 23542300x800000000000000050492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:54.882{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEFA99E8FA952C81C7A32C10296D1D7,SHA256=D1B6EF72F7C5FB8F87A5F422DB8AA3A420C76C614DD46770FFEBB7983A635E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036453Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:54.407{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A461BFE65DF3DDFBAF370D320E8C16CB,SHA256=932F682396255550426B6E334F8BD4E4F17512D8D196C446AE0AD12FD9F6BEC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:50.730{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-40475-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:54.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62148390B5C5096E3C5679626EB28FD,SHA256=6D5C940B6577CED71FAECC02E64EB1C51A0354614BD6FC0E7F266D3EFE9F8C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:54.417{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C616062394D61D12061A1A69EE346A,SHA256=6CBE4F7EAD02A28DE0935CA7B2330CA35F460C4424A7A441BEC17F73AC136E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.948{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9861DCFC1F9F6DA8925DACF1E407D164,SHA256=F665070C0075F5D5B99704BD05D6FB7CBF4D427448B2027C42672678C13C40D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036454Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:55.438{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18F5C756B8F72096424A5C9480E1A63,SHA256=3C8C5B6D15D93E2F5DD48F5D2AD82ACC1BBB1E76440E6F46DBB3EC42963C028C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0B-6112-B808-00000000E501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E0B-6112-B808-00000000E501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.400{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0B-6112-B808-00000000E501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.401{82A15F94-5E0B-6112-B808-00000000E501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.950{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696629C1B22DA3CD000D56833AB079D4,SHA256=F5A9F34A8D928559349F49CE5DF09E6CAB06CD70ED76D0AAA5230FD8AD2B9AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036455Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:56.470{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C863FBA3B7F1518F9AD9135287F94188,SHA256=56E08B9BE566B3605ADC6B8E0BE46195437A6BD03B97495AEF75FF6FDA9DFA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0C-6112-BA08-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E0C-6112-BA08-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.750{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0C-6112-BA08-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.751{82A15F94-5E0C-6112-BA08-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.404{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E62148390B5C5096E3C5679626EB28FD,SHA256=6D5C940B6577CED71FAECC02E64EB1C51A0354614BD6FC0E7F266D3EFE9F8C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.289{82A15F94-5E0C-6112-B908-00000000E501}53761012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.084{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0C-6112-B908-00000000E501}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.082{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.082{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.082{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.081{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.081{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E0C-6112-B908-00000000E501}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.081{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0C-6112-B908-00000000E501}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.080{82A15F94-5E0C-6112-B908-00000000E501}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.987{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2AEE7458F0E899F62EEE9B218942D9,SHA256=05E7BC01E1FC32CC7526254AA067CA0895B6FE490CC35BD030EDF12C225F312C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036456Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:57.501{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7040411DA39C0FFB0B5D246D6279FFD,SHA256=27E411D453F5E3F9900743568A1AAB5798FD6498EEDB91F4480E4FDE88F9DD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.784{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162C0C9DD11446C896CD0471CFF1E445,SHA256=8ADDD51753CC55E54BB218ED6214FCC3A72C353CB1AC4B2CCC840808F9137526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.634{82A15F94-5E0D-6112-BB08-00000000E501}39921440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:55.466{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64674-false10.0.1.12-8000- 10341000x800000000000000050528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0D-6112-BB08-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E0D-6112-BB08-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.450{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0D-6112-BB08-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:57.451{82A15F94-5E0D-6112-BB08-00000000E501}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036457Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:58.548{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729DE47547547B1B2DDE8D1B018AB169,SHA256=995FE7C90BE8A49CDCFCFDC384F87CA9B0EF43EFA7D62BA9F4AFD78AFB36FD7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050551Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.865{82A15F94-5E0E-6112-BD08-00000000E501}69643196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050550Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0E-6112-BD08-00000000E501}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050549Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050548Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050547Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050546Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E0E-6112-BD08-00000000E501}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050545Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.702{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0E-6112-BD08-00000000E501}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.703{82A15F94-5E0E-6112-BD08-00000000E501}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:56.084{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-50440-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 10341000x800000000000000050541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.250{82A15F94-5E0E-6112-BC08-00000000E501}22521808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0E-6112-BC08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E0E-6112-BC08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.034{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0E-6112-BC08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:58.035{82A15F94-5E0E-6112-BC08-00000000E501}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036459Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:57.859{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036458Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:07:59.563{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7511C9358F538BBEB07DEA37E5CB30,SHA256=71C23A8B1319217DC4473B5F34FAE7A815E5F45CAA9F95AD4DBEFC9E7D076222,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050561Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E0F-6112-BE08-00000000E501}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050560Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050559Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050558Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050557Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050556Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E0F-6112-BE08-00000000E501}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050555Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.318{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E0F-6112-BE08-00000000E501}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050554Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.320{82A15F94-5E0F-6112-BE08-00000000E501}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050553Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.049{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCCF78172BDC8E183277FBB376F3348B,SHA256=D29666E6B1B04732B87E124E6262A9C4851C9A4BD2862B27680185C910A7CC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050552Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:07:59.002{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4935C65FC1F83FCD87260F1CCF655B5B,SHA256=334F7A55CAE52480661B1DC9ACAE03ACF04BD60544E4E06E0573940A62760C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036460Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:00.657{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BF2C1A5A62899914F25F3FF6C008FC,SHA256=F4A5EC6BC49BE1BADD578AC21B9755F6D550FA1D5F584FCE704ADA5DD5F4F0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050563Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:00.319{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2BADB5890B9C37284147962CCE4546,SHA256=436E2B51C59CA126DBA4CBC0A3362926D73913F52C1C82BF2FEACE918EC5DB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050562Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:00.050{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A46EEDA933343D9F53D90E854A07AD,SHA256=1420C57B774445467449B1B657AF1789CA6E2AF490038A7630138CEA003EC89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036461Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:01.673{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247837A9111B165E97E46ED2A6D7564,SHA256=5CFA833B8297B5FA254789FD77C4DA6725E0E835D17C12BD038493FD2816C4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050564Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:01.084{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F4F4D79CFBF591D66D76BA5D3BBFCF,SHA256=B1728EEA6F0AC6D3E579A7D94957D9BB1CF317D8F43CF3CAACA70384255AB048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036462Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:02.688{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEB02C0231048926EDA814E118F2674,SHA256=C9829F2AC0BDD9A986213700C8CEEA545BE966560F0592D01C20DE52E169647D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050566Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:02.249{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3A90C78098C122E3E76FDFFF974BB8BE,SHA256=0B68A04FFB5052EF0C4CFAE6E788B20D788F5BB8C09D9DF0AE817D3D527D02B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050565Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:02.102{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21867F70EB3DA7943FFDC05B2315CFF2,SHA256=74CEE18E6857CB4CF514F7A112D9D4145549757EB8AF5DC992954D65A0E9E7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036463Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:03.721{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F5955D476A676B810C1F80EC6774C5,SHA256=2ADB977C5AC5594C254FD7C39896525B8447058AF0E048ED55D959022CDF43DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050568Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:01.468{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64675-false10.0.1.12-8000- 23542300x800000000000000050567Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:03.133{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBCAE54A1C774D4C83BBEEC8DA1F4BB,SHA256=F0C378E5C363D7DCE4A1B0B2A83346926DB0FB940DB964C8B52316BFC4417D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036465Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:04.734{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3181F4FDFBA086862B299D1F2565399B,SHA256=31455AFA8F0CE0C76C582A079F9F138DAEFB6C5E539C01D1B21093AFD81901C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050570Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:01.630{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-2120-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050569Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:04.149{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8AD6FF628EF0B3C56A3EAA2AF8D71F,SHA256=B150CDC3536488EC1D2E1A87E6D700F559FB70226A72278F6F8BF2ACBE704200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036464Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:04.343{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036466Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:05.736{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD594A7D59B26B51F1A630BE52950AA,SHA256=0CC3A6A09C68988272491273D3379AB619AEE2B224AE8CB06009F1469A509764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050573Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:05.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ECE1E7950A42E0988A7577A5D89D7AB,SHA256=399D25AE58F6863FB1FABA30A3E2FD7F9E6F8D2726302C4C124421AF31B901CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050572Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:05.317{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E8ECB8165187B7F3FAD5BFA919C0AB4,SHA256=7BFA9C15D1735DFC827DD10172A46A7C77B958E9F5F16D0124F9B3482E33E2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050571Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:05.182{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFDD86207E0B4E3851CED4BC8B15358,SHA256=2771E1D3AC3CF5ADEB0887FEA7268C56041E356FEE94A025F06AD44B170207C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036469Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:06.752{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122E45E9F2E0DEB09DFD2EE6A0BD60DC,SHA256=6E9EA9DDFF87E698D682BD163DDCC70DBFC5FDDA277E7E8B9ABB5052B0C5665D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050574Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:06.200{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD69FB016B020093239DA9E0113C8EA,SHA256=FB58C15E538647D4086FA753580481CDF2250C8F3C1051CDADFFBF69A89D6C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036468Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:04.092{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000036467Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:03.873{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036470Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:07.783{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA715327E5629326F70D8C63CB71979E,SHA256=40BB4372D5B1207D61727EF05049FD845D9CC3E36A52FE171B1D64DF2AA2E827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050575Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:07.215{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243874F323925872F72C8540516DEADC,SHA256=E3DAC29ED86237D4C2844ED782A10B0E6C5B5A0F3445C7AD18AEEEDB2E3C7952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036471Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:08.799{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F2990D827FC99D150F84CE8252ED22,SHA256=FD9DC3D0D575CE33A154E3F7F41D6D90EC4E41C47692BB16BE0B597255B55B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050576Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:08.245{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33833E9903B6BDC974A1BFD1F121AE69,SHA256=9A1B3071320E1DC64C9966D5F4C4EEF14AEAFB701B16DFB5AA9A0246B2A67EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036472Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:09.817{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E420B324E026C6EAE72431489999315,SHA256=81C31377E785FD23EFC26C6340058FB7E5785D9E2291E40C85E53EC2775BBD7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050579Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:07.464{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64676-false10.0.1.12-8000- 354300x800000000000000050578Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:06.999{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-12234-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050577Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:09.261{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550D4ADAAAFEA498B07266137F25C49D,SHA256=3955EF54CAEE37C32228E901244E71FA89F077F9D4BBA05353840E369EA79392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036473Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:10.833{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2816F186AEE11814AFCE7FD5943BA1E2,SHA256=0592D6E8A1937C32370C695C2F0A78C5C897B97A15C99D6B99085E43E16E6809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050582Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:10.980{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=659EFB5C67CF85281FEDB3833EDC3DEF,SHA256=8DA5081F59440B1DDF6EDDFE0818322637D995608C34B52BCF34C65BF14B149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050581Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:10.978{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ECE1E7950A42E0988A7577A5D89D7AB,SHA256=399D25AE58F6863FB1FABA30A3E2FD7F9E6F8D2726302C4C124421AF31B901CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050580Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:10.298{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8ED8A95B6CC5625ABFA257D3C96998,SHA256=DD57A8A279E64AFA7277458063FBB7E75E3C7F230F81355BF66DFE11B218CA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036475Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:11.864{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F5B857408F4F63BCE824AB6B834D92,SHA256=BF10272239ECB39AA47A01E222B947313ACFAAED9DDCE0CE052A5D4A45022E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050583Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:11.313{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52544718703529E88A27161DCF5CCFB,SHA256=8D308F657D4EB1777C34D1D3543B81F0C29D724B416D1A87361EA242FDB01DF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036474Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:09.847{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036476Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:12.880{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE156C70899C619A5B34ECC0ABC300AE,SHA256=D4D1CF0C06E11DCDDA2DF24C74E7587797CCD0A97FB0734704B66718516FB20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050584Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:12.328{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1343D10AC3AA652FC316A7BAF06AC1,SHA256=F8A8BDF11528177B79515045C66E9B084B926E4E86FB97290A18615932498E36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036491Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.942{82855F7C-5E1D-6112-2807-00000000E601}26922640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036490Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.896{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E872FE10E1E800DEE9EC301BBF1503,SHA256=B8EBDF50286061108A6A70E20DD1E32F403792F6691E649416B91014F62E4CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050585Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:13.359{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200054E127D1F80F27D70AAC5EF9FC43,SHA256=8AA814CC784809C8884C9167DA0A1B7A901202D6BFF6BB48F21DE2DB7B12351F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036489Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E1D-6112-2807-00000000E601}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036488Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036487Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036486Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036485Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036484Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036483Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036482Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036481Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036480Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036479Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E1D-6112-2807-00000000E601}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036478Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.692{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E1D-6112-2807-00000000E601}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036477Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:13.693{82855F7C-5E1D-6112-2807-00000000E601}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036521Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.942{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D38129CD3DAEF3223F08ADA3F00140,SHA256=56AA69CDF690D79645A45A763D63DA5BE1FF93C3EE0AB5B1F151C79DA88C5A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036520Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.942{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B23D258ABC3BD1920F20FE821F3CF9E6,SHA256=07CA420DA6F1043F696E2EC51CD178E6EE47D97D12D87F915A607A971ADDF22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050588Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:12.604{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-22984-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050587Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:12.546{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64677-false10.0.1.12-8000- 23542300x800000000000000050586Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:14.427{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAFF9BA44167044848CC79471B69937,SHA256=68E09981B9939990A965C42C7C927811E67485E56247267663233CA62537CD85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036519Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E1E-6112-2A07-00000000E601}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036518Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036517Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036516Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036515Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036514Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036513Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036512Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036511Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036510Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036509Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E1E-6112-2A07-00000000E601}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036508Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.864{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E1E-6112-2A07-00000000E601}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036507Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.865{82855F7C-5E1E-6112-2A07-00000000E601}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036506Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.708{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4AF07E8386EDC3D243C06749D120D4E,SHA256=B01504A8B2743865CDCA07B5A0F65EAC126701E034DB5EF196ACC2BF24134F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036505Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.708{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CA65828823B7AB479E6A99F6FB17ED,SHA256=9AA606764EE5D3DE991516D58B1DD306F4C7BF2A846D531EEE0C4ED5033120AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036504Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E1E-6112-2907-00000000E601}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036503Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036502Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036501Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036500Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036499Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036498Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036497Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036496Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036495Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036494Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E1E-6112-2907-00000000E601}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036493Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.192{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E1E-6112-2907-00000000E601}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036492Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:14.193{82855F7C-5E1E-6112-2907-00000000E601}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036536Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.958{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806DB6AE49740C732F1587255A114918,SHA256=0A44244641B43136C882834950BF5F6C2707A72CED34A41028F3BBA7F13771E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050589Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:15.458{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114404B5E4AF25D5380D808757410C53,SHA256=7A7A005E3D09B5C45483CBA5C0B272C6F0550B22F1D4E22880ED4D4582E1EDD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036535Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E1F-6112-2B07-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036534Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036533Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036532Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036531Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036530Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036529Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036528Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036527Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036526Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036525Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E1F-6112-2B07-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036524Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.942{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E1F-6112-2B07-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036523Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.943{82855F7C-5E1F-6112-2B07-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036522Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.864{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4AF07E8386EDC3D243C06749D120D4E,SHA256=B01504A8B2743865CDCA07B5A0F65EAC126701E034DB5EF196ACC2BF24134F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036553Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.990{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3A6286DCDFFD34FD4BCA805E6F456D,SHA256=FB00B862D671DFC12B7485EC8F2ED5F958B7035F469C2B5481B83DB1A14A166E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050592Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:16.494{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B86D0B71373773EC0A95FD8B986FAFD,SHA256=F1CECDFE625C9F6FC90688ADD70BE1B0AE6CC602B29C1EABDB7557C08406084F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036552Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.974{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C02CC4E7A5818E427316A40AE0FC95,SHA256=1A9F665D23CD9CEBA9B76D590034090D7D4A8BA99B00E2D98A8F2F2A5DFEEC8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036551Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.802{82855F7C-5E20-6112-2C07-00000000E601}8483612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036550Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E20-6112-2C07-00000000E601}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036549Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036548Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036547Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036546Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036545Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036544Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036543Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036542Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036541Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036540Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E20-6112-2C07-00000000E601}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036539Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.614{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E20-6112-2C07-00000000E601}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036538Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.615{82855F7C-5E20-6112-2C07-00000000E601}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036537Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:16.099{82855F7C-5E1F-6112-2B07-00000000E601}36403800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050591Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:16.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F204C0739A6077FC1FE56397371E44,SHA256=99F80EE2310CCF1702C4585E7A95DDBAD971741DC0851B805E1B6BE6879CCECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050590Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:16.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=659EFB5C67CF85281FEDB3833EDC3DEF,SHA256=8DA5081F59440B1DDF6EDDFE0818322637D995608C34B52BCF34C65BF14B149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050593Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:17.525{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1E835AD49135D3C7A783AEC817E5D7,SHA256=690EED7906B0EFBBA5A76D9B927A401268638ED28379A7477B9A97D0738261E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036581Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:15.816{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036580Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E21-6112-2E07-00000000E601}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036579Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036578Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036577Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036576Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036575Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036574Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036573Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036572Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036571Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036570Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E21-6112-2E07-00000000E601}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036569Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.708{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E21-6112-2E07-00000000E601}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036568Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.709{82855F7C-5E21-6112-2E07-00000000E601}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036567Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.427{82855F7C-5E21-6112-2D07-00000000E601}18883136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036566Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E21-6112-2D07-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036565Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036564Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036563Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036562Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036561Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036560Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036559Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036558Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036557Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036556Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E21-6112-2D07-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036555Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.208{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E21-6112-2D07-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036554Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:17.210{82855F7C-5E21-6112-2D07-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050599Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.739{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050598Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.692{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000050597Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.692{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000050596Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:08:18.692{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.72.168522501C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050595Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:08:18.692{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.72.168522501C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000050594Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0369F33BB3125491AC67EB73AF1D13,SHA256=C5EB9F032BAAB0D5B439AF75EF6CEA2B418E10ED77577350FB9AC20BD99D60C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036583Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:18.364{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C328E15C96B569447A67D24D1BFC0C39,SHA256=07C472D5C2B1B99FBF4D9B4FF869517265C09A7E001EFD49CDA433A4CE327011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036582Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:18.349{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34644FCBDB37F0E788DD8B08AB9208C3,SHA256=F51787E8160B78322447E315E519BFD7407524806E08F7E66E15EE5003A0269B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050600Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:19.554{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A71021C299BAB7705BCBBF32B6A70E7,SHA256=D14459A89F51D8D81E5FF3815F331ADA169131A7A6E619F8FA88132827FA8BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036584Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:19.380{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3577BF6F9AF9FBA4358C73AFF183674B,SHA256=126A04DBC98D21FDEFD08117DDC3DBE1BB840483F69340718FF9AEE50349B938,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050603Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.504{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64678-false10.0.1.12-8000- 354300x800000000000000050602Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:18.153{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-33623-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050601Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:20.571{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11B182BCC1A5BB9DB51833CB6C67985,SHA256=61D9EC0446EED96DB42C96D6F812694D13E8E3AB52660068E2D2A7776041A60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036585Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:20.411{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFE7F7F7D306F8C095CAE7A7F7CC54B,SHA256=20F50DB7E2C0B2BB99B35AC1604585535570842351B68A8A50136255CE6B330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036586Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:21.427{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34E80FEEEA63B90519723032DB55449,SHA256=0B2735B46D5428A72F5CD13357EC479D028426898BCC3EAAA668218195D18AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050607Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:21.872{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D0B4E41F5015345EB5B8BCBFD91C24,SHA256=64F0D998D15633E9ABCE6242D51778C3BFD29E6F3871B02C9A5DD03053F358A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050606Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:21.871{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F204C0739A6077FC1FE56397371E44,SHA256=99F80EE2310CCF1702C4585E7A95DDBAD971741DC0851B805E1B6BE6879CCECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050605Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:21.868{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-5C43-6112-8608-00000000E501}3512C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050604Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:21.606{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431B27E80BFCBD8065AAAB20FD9442E,SHA256=6791E9D9EDB775D533F1E4ADA2D31B4D76B023BA27F247F0710D597958F7B83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050608Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:22.652{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B86B26B8D1531F9F611E35AEEA0846C,SHA256=6B36F15D377D7BE8592E5BC865FF077E00C5497AB0CC24877F6CC5BFA9FBDC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036587Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:22.505{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54D50234E346679EDC8FE96F2ABD342,SHA256=8C3168DD469998A518A1FA0C4FBFB4A9B461C4A327DAB13728905EEAFFD40B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050609Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:23.672{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7180CB1EC58530ADBF9BE242936D7037,SHA256=E39E4DD5DADDDB8406D470F7BFAFFD21F22543CDDDE5B317A6653520EC4CFA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036589Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:21.832{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036588Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:23.536{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83138F26E9BAC29DF01E087E91D51E9,SHA256=8C5A27D0E2584A7ED246083E2ED521C28731E69906037229CCAA233F032D2ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050610Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:24.719{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A123C43837357BCCF372D1DB663E455,SHA256=DD345A2E540368741D6DD5B91BC35CA26F84B9FE1FBCF10996AD9586678ACE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036590Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:24.552{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634E7C7D2C2A3134C0DBFC0103ABDB7D,SHA256=77D9F01D565F8FB4C294882411E61A042523E0B6081CBB3F50D251BBC4C68AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050611Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:25.738{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C345D7C08438C995765E74D0F91AF24F,SHA256=A4F3A04AEFCCACFDF646E17C9FB9066D67B497021309EC06411B01666146CE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036591Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:25.599{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A56338110F3170439BCFA9D86E6C99,SHA256=385B2AC6971ECCEAC5D028B4184827486892D222073C5FCEE9B37C3DE9513919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036592Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:26.614{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7780A6929D39C1669891B23AEB224110,SHA256=82639347A2DC607DEC5283B6A85095A80E80BC3ECF08EC6BC4C4D9BEF4E31A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050612Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:26.752{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC317B682E51BEB063093D261706054E,SHA256=11E8109583618E7852CC2E1331E942459D38A582FA315AE14ADC8D6E1976D1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050617Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:27.774{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C337D6728C813D49B65ACA35273380,SHA256=4029DEFE90B625BCD836A6D4DB6990DB5D9A4D1EF883944AA49DC48488D176E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036593Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:27.677{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419BF85E84A927E52F2D63B42402203C,SHA256=B49EBC962B1FACBD6EAC43EF5B0D4A23A550AAB05D885DF3C6A0D32B4FC3F5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050616Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:27.490{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D7BD7CA2D31BCF23C51EB986623878,SHA256=9D245610A4179CFA3000D1C45550E713D1453A9AEF0F1D86696B6D1594C69BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050615Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:27.490{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D0B4E41F5015345EB5B8BCBFD91C24,SHA256=64F0D998D15633E9ABCE6242D51778C3BFD29E6F3871B02C9A5DD03053F358A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050614Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:23.622{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64679-false10.0.1.12-8000- 354300x800000000000000050613Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:23.570{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-43706-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050618Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:28.788{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF463110056DF160FA48807D555185E0,SHA256=390B0A24249F5F894F10AF68C3417A6A95722EF09AF46C6B30CBD704E393308E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036594Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:28.739{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E87E3A07360981F8034D3505A0ACC51,SHA256=10DCD33BFB8354BFED56F09E25D7C923D598573D6E961F9AFC1785901C0458EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050619Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:29.835{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22DACCA9E6C025B9953E6D4C792F7FB,SHA256=BAF0256C508EBE4872CDF259869273F4F3A05FF092E673DD0B125DC93537E648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036595Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:29.760{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4220971E32493A9B02EBC54D07A32C97,SHA256=7400C981744C5531F0F3A2E94E0F8852BC14A4B1C3806EB8A636395C921CACED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050621Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:30.849{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13345F3ADD474248A6171310E4EBA58B,SHA256=45FF979C7D8A3E5B55585B63004284A349A5D13F773205C646A579F7CDDF38D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036597Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:30.775{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D920EED12EAB7680AC66CDC8AA982993,SHA256=EDDAA91D155E2CAE7725C8031E199C875A3D2F599FF8DF8AAD2A9084918F3EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050620Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:30.770{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036596Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:27.816{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036599Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:31.807{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1D6CC0109333BA5041D249AD6246F7,SHA256=567603C2715AF56AB931C6B4ADE458A63750FB6EFC6886566F8938A52D00B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050624Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:31.886{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E113FD50871BDBA61703BF2876C109,SHA256=7AA2927BF4F9E36BA1997E677558FBD2AE745BC72178EA817C6B795B7C81859D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050623Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:29.091{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-53774-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050622Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:28.638{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64680-false10.0.1.12-8000- 354300x800000000000000036598Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:29.537{82855F7C-3681-6112-0F00-00000000E601}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse20.79.73.243-56858-false10.0.1.15win-host-456.attackrange.local3389ms-wbt-server 23542300x800000000000000050627Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:32.901{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0B1A2FB5ECA617FDB19D2F2F4765B3,SHA256=D46472B3B15A16BA43603C833527A4FAE3797A0837A80DE8AB6A6D960132D479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036600Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:32.808{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FA1D5F6F2B8BDBF6B8C18D214093C9,SHA256=55BB9AA0F226B33F8502FAE9249C33299D4EA12B429B09F73C22D2A89706577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050626Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:32.801{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D68F35911AC680F9F1C631C4684D2C3E,SHA256=52DAB4A4D4F806087438CFAA190E18AC335270CE86F0556B3FC1A6034E8C8476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050625Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:32.801{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D7BD7CA2D31BCF23C51EB986623878,SHA256=9D245610A4179CFA3000D1C45550E713D1453A9AEF0F1D86696B6D1594C69BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050628Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:33.916{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D179316900F89619B771DF39DF5D129C,SHA256=48BD8DD07C5A4A92B478BF0D10986B2D998CF322DBEE0839B2B99932B786CC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036601Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:33.854{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F19C54E172D9A19805866E3E5FFF27,SHA256=E60493ECFBBB6CC6A711842DEFD8B71DDF4D648983F2AA3EA379D96169E04739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050632Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:34.917{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC1AB1DA83708AC9DF78B1E53664DCC,SHA256=7DE61EB17B5FB7017B2DB9AAB675F5DEF1DA9B3F168A616E88648301E64B917F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036604Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:34.869{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076575B9ECA0D8B486AC01C72A30ABDD,SHA256=71A621439CDF6BEC5845EC35B92BAEDF8FB9C4FB17405078CDB737E88A12EC5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050631Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:31.598{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64681-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000050630Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:31.598{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64681-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000050629Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:34.031{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036603Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:34.854{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02C4055C71C836E2BBDA1F6E11C6FBF5,SHA256=CFA3AED35F1AE10D727916313FD82D72912DEF000FCB19B8DE1B1CF6D51F7098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036602Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:34.854{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=794C40461707CA4DD0715E3BF77FA467,SHA256=8F5096BF2E90A632C2E553FA52BC8872A495CDC3177683D0D4AF33E4F2500ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050634Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:35.931{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E32FD95CE71F3BEE7D203F373F14B1E,SHA256=592DBA468FB19ED798F8348EB3A55CBAF6A3F70C0961ADA26BAADE1A90D55F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036606Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:35.901{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0DDBCB3ACEBB56562AB9486E552B86,SHA256=E15240C8BF9CC06F4672FA9FE2E490817CA24BE33DF0964393398E1D8B2B6A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050633Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:33.465{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64682-false10.0.1.12-8089- 354300x800000000000000036605Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:32.977{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050636Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:36.948{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6403080E4A7C063C20F3272B5AB1FB0B,SHA256=EF1A4F2EDCE9BEA7C50F0B1A43ECC2E3F4376C7FC2DD56923C8C410C47CFC3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050635Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:33.759{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-1441-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050638Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:37.965{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF36B69BC04279ABEB9ECEF6D90C8B,SHA256=F3B34279E55BC81FF6B1A4B9DFDE1BA46F397A7119B91FA523481045622A8697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036607Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:37.010{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECCC69A8D7A1BEAD7051B2B098F57D2,SHA256=E0019D5103CE8ADDE69F23FCD97105A90DF74AEE8B115210F41F518A3883D96C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050637Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:34.581{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64683-false10.0.1.12-8000- 23542300x800000000000000050641Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:38.984{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BDCCA6315C00E0290DCBD5EF2900EB,SHA256=4CC7ED875FDB73A3B245CAE5AFEFE7596EF6F62598A4B93548F058509AEA4445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050640Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:38.431{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E5EF3222A67E158B75B3AC3675348D6,SHA256=656B12DB37C2C8D20DF20667BF9FF49B6B184965B5746AC52F6FD09B2302F7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050639Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:38.431{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D68F35911AC680F9F1C631C4684D2C3E,SHA256=52DAB4A4D4F806087438CFAA190E18AC335270CE86F0556B3FC1A6034E8C8476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036608Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:38.025{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CF76C855073F6EFC9AA0734ADAAEE8,SHA256=8BACD7DE252B87F9BFCA499D639367475E1AF7DDEB98719558A2E948F60D979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036609Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:39.041{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE960BBD7075728BF42094E05283C0B,SHA256=AEDECF90816F20B97C1FB6C3C531B12B8E8AED400526CABD44FBB751BDED77F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050642Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:39.999{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE22A295A98C88CE95BD4D0A108428AA,SHA256=B52532633FFCFE1572626C7D63F9ADC68E32EC6F61CD6D29E9B65D433B0C5C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036611Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:38.836{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036610Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:40.041{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E8EA22A4F3DAE0007718720CE0E2F6,SHA256=A5CFC3512F5B15B7C663972C00807D47A278F80C98EFA34A97FEC66F7A580B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036612Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:41.057{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4C00052C64CA74B01E20321B887378,SHA256=A6725A294C4A273F3C5C80F4EA9285F279D1482AC331598E9B879A343B1ECB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050643Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:41.015{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A9CF6628B7F3E00F2630288CE309B2,SHA256=48ACC92B7CFAB91F5B156A4318E44CB90C72E51B2AE6AD19FB5C8BBB90A6CE84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050679Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050678Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050677Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050676Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050675Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050674Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050673Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050672Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050671Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050670Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050669Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050668Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050667Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050666Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050665Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050664Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050663Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050662Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050661Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050660Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050659Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050658Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050657Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050656Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050655Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050654Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050653Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050652Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050651Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050650Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050649Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050648Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050647Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.898{82A15F94-3493-6112-0D00-00000000E501}900920C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050646Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:40.496{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64684-false10.0.1.12-8000- 354300x800000000000000050645Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:39.248{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-13424-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050644Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:42.029{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE4CB52DE92D4168B3CC57892E29989,SHA256=220A7EDB8E9CFD18AAB79C5EBDF332610AA3C55841C2839BC3F6F99D7871EE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036613Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:42.072{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6197D45EB6E352E7D00A500B07EBA6F,SHA256=CBFDD86C4CE0E6A6CE770DB5F1EF101C99ED19EC23FF6A7FEACF648C2F58189F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050681Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:43.213{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3902A2BCA0C62406BE8031A9C781051,SHA256=6FB22A79312B5F1A0E91DE2CB86C8A022EC32C59CF25D6EFAD103D08DEC2FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050680Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:43.213{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E5EF3222A67E158B75B3AC3675348D6,SHA256=656B12DB37C2C8D20DF20667BF9FF49B6B184965B5746AC52F6FD09B2302F7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036614Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:43.072{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2423C4167A7A4149A75DD621E1AC729,SHA256=FDB6592150EB4C2E5FA2F247B3158183ECED97CDF1B3ABFFFEB63533C9E3DF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036615Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:44.088{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582D3286E0DC4495FDC274D465021842,SHA256=8D9AA808CF46D5DD628808CD8E50F2C7880CA472443AFDB332C2C43657D3E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050682Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:44.228{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D7B53A2CCD1AD4CEE2A4BEF32F9C65,SHA256=B145B3E5C5E61E4C05983E859B8A0E06BD725BB3896F7A20F2876D1CD956FDD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036617Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:43.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036616Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:45.088{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490976D874A61716ACD3123F9D1E7ED5,SHA256=EAED4381D8FB91EDEFBB3A17EB865D17D38D5AE001326A0980EA446E2291C3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050683Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:45.243{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33677A48F407D8A666C987C5B2B90600,SHA256=0BB3A134B512E2D96C075484F60079AD9D5131839415514F3F613847C4A88383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050684Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:46.260{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00B9B1B1CF1F439630811FFB901157A,SHA256=EE3C100F4331A4CF00A85E489F38DA9AFAD3D4DB10EB1E530AEB41AB6895E0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036618Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:46.104{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE27EA2B41642144642EBB05C5E1981D,SHA256=9F5DADB66E902669B61F7C3479286CE0ADC680F23242C481F4C258241535EDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036619Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:47.119{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7142C4BFAF1E5D83CD9276D20F9A61,SHA256=2CB0154184063C4FF31C168603514EA5EB9E75311842051EAEE2945BBC6CFC26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050687Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:45.629{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64685-false10.0.1.12-8000- 354300x800000000000000050686Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:44.884{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-25106-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050685Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:47.279{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548EDC1C9D203390A526449BEA6700E8,SHA256=35F480942F166ECB02EC38D952DEE0BF835FD459CE9150220F669AA9DD7C1839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036620Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:48.135{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C8FB33AFF7902D2409E2F3E94E018C,SHA256=2898C42F17F2FCE51A2A449B273426EB37062275CA3CD2CB1EAA3DB77330E729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050688Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:48.294{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04853F90472543CBA6DDEFE3A6FA32EF,SHA256=5883CCFF609C8D78A4CD6F31E3AC6064C3A64CC44A07157896CC991426C3397C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036621Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:49.150{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C16654CEC15AB6B59B37035A5E6728,SHA256=0B642D3CAE925485E8253A820F8CC2875528971A9E1CEAB7D9D52B9D2BB8B287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050691Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:49.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE51D130C96E96276308CD0B10B879E,SHA256=E38955928BF44EECBEF274F76DE0955D4AEF525D8A197B370425C08D2454FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050690Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:49.478{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C926C0434A72F775E3349D2074A0494,SHA256=04C45A3873128C4E61C0FA98C9F37578E6FA75FDF2FC4F7049EB54375B152182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050689Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:49.310{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D2661FCDCDD9B61DE9A86C36D31B99,SHA256=857D8BFB898DFAE98C74E5BD170A05CD1DAA88D8FBC5A45F31BCB807340460A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050693Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:50.340{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51211A4A806C472268619D647457E4FB,SHA256=DD7F7008E37B76A86797E2856F44ABF8B404EB54B70010CD516748A722A2C4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036623Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:48.883{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036622Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:50.181{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DDBDFD24F673F0F1AF7B0F3086CDAA,SHA256=435EF45B78C9E4652C63AA7E9FFC92EF1D625AD2236CC87EF31C1E8DC3DA8262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050692Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:50.261{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RFa2e8c5.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050694Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:51.358{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C50D176A5D82310318E4E9DC3EA6FA,SHA256=8082DE84A2C166E66EEB7D0D11A35E6B58A4225A9B344115E222B3D32983E227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036624Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:51.197{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F560A3E8D4E64BE06F6E020D56A801C1,SHA256=1F12A18C1545C107FA56378EC04B3CEA1B865330CE7439A7A32E675199C8A61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036625Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:52.213{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB9660AE3D9CC890C3D03F05C859A0A,SHA256=9484E78CA63B09C221B67DCC1A8A4BB129562D0B690CAB1F467C15752CE67E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050696Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:49.984{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-36572-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050695Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:52.376{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C27CAE47AC8F60580B31DB01BC21D18,SHA256=7DF02CB3AEEF9DBD4243ADB5D6DD3CE9B3A18D87B0CEDD106DD23CF14C01B02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036626Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:53.228{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8908C2D2627C43845F1A24F56F9293,SHA256=92EAA67552BBB5B5F1190B3A9FE3AFB692C9888B1FC9B2CEC266C8172E718212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050697Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:53.438{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA11E0B6AE543C025F937661505E3FC6,SHA256=102A4B369E06A95D9FEE3B1623CB295B10A76F09CC2B9518DE34228EEA92A88F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050701Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:51.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64686-false10.0.1.12-8000- 23542300x800000000000000050700Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:54.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592B709B3A328EBD32AB3A625D33C7F9,SHA256=29932255675701864907068C8A56036E310BB029D9CBEB66C1CD0666C607452E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050699Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:54.557{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE51D130C96E96276308CD0B10B879E,SHA256=E38955928BF44EECBEF274F76DE0955D4AEF525D8A197B370425C08D2454FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050698Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:54.475{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AEBB5288C31F774DCB70DEFC3B7D8,SHA256=4104B05DE7E750B344E811B754B65D6B7F286C325A15E16C57100389237CA459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036627Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:54.276{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FE62A1260F451C4C91DDC6EF22F914,SHA256=0D535F6EA50D64A4DFBF6A7449659449A50D85FBA541C29B5A240647D5B6A929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050710Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.476{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4305A9BFFBF9C478808F1E46E07DFC3A,SHA256=1FF643C3A76AA2BD81864A76B1DABC3CA65CDBDA7A0D28FF20957194BC5EE70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036628Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:55.291{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B94A8684FEA3A83515D5655ED9E665D,SHA256=A7FE6DDED1E081334E2F81620489E27FB21B823E42893D07E1E524E76052EC1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050709Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E47-6112-BF08-00000000E501}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050708Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050707Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050706Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050705Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050704Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E47-6112-BF08-00000000E501}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050703Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.407{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E47-6112-BF08-00000000E501}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050702Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:55.408{82A15F94-5E47-6112-BF08-00000000E501}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000050730Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.758{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E48-6112-C108-00000000E501}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050729Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.757{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050728Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.756{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050727Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.756{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050726Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.756{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050725Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.756{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E48-6112-C108-00000000E501}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050724Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.755{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E48-6112-C108-00000000E501}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050723Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.754{82A15F94-5E48-6112-C108-00000000E501}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050722Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:54.063{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-43287-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050721Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.491{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F093F9B96F3A33FEA45CBF89DE387A3,SHA256=12BCCAF83556C9F548019B7D72262C2DDF567549C88AA49734CB05A9798693CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036630Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:56.291{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE30379F07BFAA7322C8C628B96841D,SHA256=925478B7F83C44455DA3CA2A45EC98DD50464FE03FF9EC0065ADF238794BF9F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050720Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.422{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592B709B3A328EBD32AB3A625D33C7F9,SHA256=29932255675701864907068C8A56036E310BB029D9CBEB66C1CD0666C607452E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050719Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.238{82A15F94-5E48-6112-C008-00000000E501}14765976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050718Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E48-6112-C008-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050717Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050716Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050715Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050714Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050713Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E48-6112-C008-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050712Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E48-6112-C008-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050711Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.076{82A15F94-5E48-6112-C008-00000000E501}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036629Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:54.023{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51762-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036631Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:57.338{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA84C07B609010924118912B3B85F8,SHA256=A5808736BAD6EB2D0074418D914CA3242E96C8651AFB55C3A6E0BF68713779EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050748Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050747Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050746Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050745Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050744Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E49-6112-C308-00000000E501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050743Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E49-6112-C308-00000000E501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050742Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.994{82A15F94-5E49-6112-C308-00000000E501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050741Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.776{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7713DA07FD773678B2EE4F10FAD94524,SHA256=7CE7A52FCC60B1F81D68769025F3F13493E49290EF494833CFB1B85FB5AA46DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050740Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.638{82A15F94-5E49-6112-C208-00000000E501}20403928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050739Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.507{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE5BCE0108E1661ED9470F9C56F7DB2,SHA256=8D4D7C6BAFED5A50FEA9988184263F35D8BE75396F273ABF6C0E49804D4F608F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050738Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E49-6112-C208-00000000E501}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050737Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050736Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050735Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050734Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050733Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E49-6112-C208-00000000E501}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050732Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.475{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E49-6112-C208-00000000E501}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050731Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.476{82A15F94-5E49-6112-C208-00000000E501}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036632Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:58.447{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD9B3CBEC662B02DC87E2EFAF8FC452,SHA256=4775308546C97A8557AB4ADB1146734B31C76DEA7C15F598D7D1E6897C7AE5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050760Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.775{82A15F94-5E4A-6112-C408-00000000E501}66682544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050759Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E4A-6112-C408-00000000E501}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050758Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050757Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050756Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050755Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050754Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E4A-6112-C408-00000000E501}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050753Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.591{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E4A-6112-C408-00000000E501}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050752Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.592{82A15F94-5E4A-6112-C408-00000000E501}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050751Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.522{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5BEA581D22069EE8EA93E2031FC08E,SHA256=C059DC9BBDB5B1BD1210FF78CBBC9A1D6900750BE523E4F6F69A21AF2E62C633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050750Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:58.155{82A15F94-5E49-6112-C308-00000000E501}45526468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050749Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:57.991{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E49-6112-C308-00000000E501}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000050771Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:56.672{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64687-false10.0.1.12-8000- 23542300x800000000000000050770Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.537{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D9CB07BA0CB2F8C58B63BA5C0DDC8A,SHA256=316922CCD26DF8DAE5DBCB7CD7622BA5DB73CA1195E783A355B03BDD2206EB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036633Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:59.463{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C120E9D7C99A345E649859270BC426D,SHA256=FBF080D0C788930481A03F3F3650CA9C0A676C64BCF97B8E608A53E2D944E021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050769Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E4B-6112-C508-00000000E501}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050768Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050767Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050766Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050765Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050764Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E4B-6112-C508-00000000E501}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050763Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.190{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E4B-6112-C508-00000000E501}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050762Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.191{82A15F94-5E4B-6112-C508-00000000E501}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050761Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.022{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F511DD59DED3C607F9CD07C0364DF777,SHA256=15A403008562B7D59C110D9B5DF4307E6629F15D753EB894F8E9934707B76ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050773Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:00.539{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F62601C5887F420DF8E8634F53EC080,SHA256=5005ACAA07F844BBF7E02C93C05EB511066EA75A1D9751BFE23DEF57849EF474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036634Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:00.478{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36459AD7FF97A8247C1D9D214F07D413,SHA256=E7225887FE26EEAE436FEF35D30A3A1DE69A18DE474EB52E704DCB062301C6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050772Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:00.193{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F18A0062AAECD88F9950D35F4A38366,SHA256=B9E75105173621FB7242B623BC2A32E811A5FAB6A6409A5DAE396F6D61098593,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050775Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:08:59.651{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-56390-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050774Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:01.541{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF8860E8B505D48412FCC03AD722319,SHA256=AB5A094A958907EF6CD9F8DC1EE30ADC740A83C19E2E8B1C0A6057BADD765509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036636Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:01.510{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7025B9674B9F6EC9563F0C3B57D288F4,SHA256=CD2FCE3F58E7B87175AA0E292AF1AC3D4E7C10CA1F8CB7AC28FF220138CA0867,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036635Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:08:59.776{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050777Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:02.559{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E4540B2FAAFB8E464E905C088EDED0,SHA256=CE19010843FABC5DA2ED9855C8D64EEDFEF7E8C1DBC71CFA88E81DCC7808CCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036637Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:02.541{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7A3988B5CD9739D6B3B03D7AF39842,SHA256=71E1F5D4873A96A78FC22A7283032A0809B3ED5B43308C1D7B8860A87AFFC9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050776Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:02.256{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B75F0F462313675EAA94E053C894E0D1,SHA256=2D1EC16B64E20BDBE3A8EE4C44C2CA8F5F94A141CFFDDA705A2FB58E03C5FE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036638Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:03.650{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057ABBD46D6AE5B14C21705C22F67DE9,SHA256=444FB64EAD926E79062E7B8D9E35CF383124284CE0044CBE79BDDE672C3357B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050778Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:03.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C0AED69656CFFE79697298A3861AC3,SHA256=31CFD2068A5CBBFFC67A88B40A7EDB2B08E3670258F73D8B8D10F0D56A765A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050780Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:04.577{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AC1596AD63FBFD8B955910848BCBE6,SHA256=451092546B0AB6B6CED7F734B203B11D4CC69440BB41987DB0361519E90CC302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036640Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:04.652{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BFE208CE701F5E48D441DD952C302E,SHA256=0161B9304E6F757AE1AA106E2E84E762135D745CACACFDB872C58F11C481BE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036639Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:04.371{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050779Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:04.477{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D56FC518F161C5199962E629BDFB510,SHA256=7FB432404EAE5B550B173529CB43E79BB36D5D76466264AF583B4E2BDA7C1DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050781Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:05.592{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B413CCE80DAC2870348E3BD7D3B983,SHA256=4CC628590EBF59DB1763CF7DD31DCC9E3DECF0AD99E7AC1DA7FE7BE7D900780A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036641Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:05.665{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECDE496680EBB1A3B281F8E1A26C8DE,SHA256=22DA2ADFC8774CF7B83939C23184D16E215D1A15EC87192D5B4F6E249D963398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050783Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:06.607{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426617D0A2A838EBA4303260712D9633,SHA256=C19816CB3B989FCD7CA8DE4D105195E043027D5747E1598ECA06A140A64D74BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036644Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:06.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64710755D99EE8B6F79A43A9C3EF603,SHA256=F19684F85BD4681982FBBE16A5147C782BD96636AC3B3915FBADF37E71D2A795,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050782Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:02.626{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64688-false10.0.1.12-8000- 354300x800000000000000036643Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:05.006{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000036642Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:04.119{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000050784Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:07.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5644F2EA94EDA2A55EAE4D843A8AF7E3,SHA256=E070F27DD11DA84A6AFF6DD5528040FD4080F3900A579BD1E0046B146C2AF153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036645Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:07.667{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C256007E538550A72800BC68ED0BAD92,SHA256=728213328FB59A6ABFD5178AF5BAD41CF53F855115EBCD88D62075EA36B02C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050786Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:08.875{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D08D15A309D7A4CB6FD9542884E18CC,SHA256=068AB73DCE9B27B100AEBC1B9C1FE3AE2A4F4C4A30B4B483AB0A10B86E73E730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050785Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:08.638{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C020D7FAE09F9BF067BC064ECB0E0A96,SHA256=1ECE2E535763662D4E062C10AE7BD6C3CC747B22CC2005C8933C36DCE70D0F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036646Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:08.683{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E225313E97313DE0EA4FB79233022132,SHA256=FAEB4A7A71A6A15481EA9B05FDFF585A964C862C6B95785AC6386A526B4B161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050788Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:09.659{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1C1355EB01609B87DACB69EEE45BDD,SHA256=EBD9EB4837BDE1CA8607A620D5D663CAF8F110219CDC0E97808BEEE543AD793E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036647Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:09.717{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D491C5C5713DC2932A9D4F55BC2688,SHA256=C3306552DA952DE0649CFD533A47A015839DCD6D2F731A3EC21257FE0B3E8664,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050787Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:06.334{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-9516-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000036648Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:10.764{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9BF057D757054DF75C84A612B1321,SHA256=6280698B06FE82A8D14909DA6190691E6ADB40A2518313D6F3F0C3CD11D5299D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050791Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:08.966{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-16828-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000050790Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:08.490{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64689-false10.0.1.12-8000- 23542300x800000000000000050789Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:10.674{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAD4F0BEA800AB0731BABE37A5A6EE4,SHA256=BC78C683AAE1D56A6AD064DE3AD9B74F77A5A079311AF5CF2076E1D96DE00FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036649Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:11.796{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B545E22BCA814123FD29623AC7F441B,SHA256=213F935AB5D3169F5635D022ACEABF64B34B721C8846936F03DF1E3ECAA86426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050792Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:11.689{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCF2FD75DE055454868E8EA2708B8B2,SHA256=CC206881EE47BB124414AF125665172D2A5C407AF3771E6C3EB6D5B5CFF5E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036651Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:12.827{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F6D8A8F69F13731C126C624360D44B,SHA256=0AEC44535A1474F691ED02077AF5D9221F772E5C130317BD0508950FCF5BB180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050793Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:12.705{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472F2D5DCC55CB1B06975BEBFEC91231,SHA256=919B3441415FED16E007822AA24B8C679EFE3A88954B9495373D642B6F96B3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036650Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:11.012{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036665Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.827{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2410B5FA9F58A1E19527BF717AE6921A,SHA256=4CFDC9A9DEC3E92D0F8C815496B6D886C3748C98700402BDF80F12BFEAAEAF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050796Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:13.972{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141C269D068870E2D69794B85E93D408,SHA256=E0B5318A3CF2F8F69183BC5EB8B15A5535D975541308D53641212EE906D12A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050795Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:13.972{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D53018AF4A487CC1C73BCF5907CF21,SHA256=BB5185555F8CEFD5D5767CB4F71037460F17A9EF79B18F8C1AD6E1C4A3372D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050794Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:13.735{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32DAA17EAF5091D2679132302CD9F1CD,SHA256=C44B0F1ECD4A0001040E7BBC85661EC24F2DA001E1C007379D0917A4C962873D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036664Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E59-6112-2F07-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036663Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036662Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036661Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036660Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036659Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036658Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036657Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036656Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036655Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036654Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E59-6112-2F07-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036653Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.686{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E59-6112-2F07-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036652Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:13.687{82855F7C-5E59-6112-2F07-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036695Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.952{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FF7A4D59E9359C13EB4D8E8A083558E1,SHA256=893AFECF04E910333B3AF87906A498D8851E8D860FF3EC9846AD9301A07C6379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036694Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5A-6112-3107-00000000E601}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036693Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036692Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036691Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036690Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036689Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036688Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036687Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036686Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E5A-6112-3107-00000000E601}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036685Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036684Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036683Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.921{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5A-6112-3107-00000000E601}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036682Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.923{82855F7C-5E5A-6112-3107-00000000E601}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036681Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.858{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EDF3A4D6A4640E9C3A90DBCA87618A,SHA256=211E383D1E69ED1DB8D8F797B9C54281A9D1DAD2B71B0007950425D661B978B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050797Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:14.754{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88646405D5E6BB2654562F1E693E45E5,SHA256=2167F47D5C0253694A9B0F86C8B013FACBBD40715FE0A7CD1F05F226F7412BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036680Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.733{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08533CF5FB2D5BD7384CAD85032CE7A9,SHA256=ACC0CEF76CF4896BB05F51A6C9A70BDFFD583CEB0A5AEF4F2FC48BE6F66FF94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036679Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.733{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02C4055C71C836E2BBDA1F6E11C6FBF5,SHA256=CFA3AED35F1AE10D727916313FD82D72912DEF000FCB19B8DE1B1CF6D51F7098,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036678Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5A-6112-3007-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036677Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036676Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036675Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E5A-6112-3007-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036674Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036673Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036672Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5A-6112-3007-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036671Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036670Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036669Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036668Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036667Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.296{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036666Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:14.297{82855F7C-5E5A-6112-3007-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036711Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.953{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5B-6112-3207-00000000E601}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036710Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036709Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036708Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036707Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036706Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036705Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036704Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036703Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036702Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036701Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E5B-6112-3207-00000000E601}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036700Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.937{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5B-6112-3207-00000000E601}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036699Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.938{82855F7C-5E5B-6112-3207-00000000E601}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036698Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.922{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08533CF5FB2D5BD7384CAD85032CE7A9,SHA256=ACC0CEF76CF4896BB05F51A6C9A70BDFFD583CEB0A5AEF4F2FC48BE6F66FF94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036697Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.859{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3317983312CE67FABFACEB5A688482C,SHA256=11427D1A4FC4130389A50D972F58A6C36E20086025E2755091F2468EE95D5FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050798Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:15.771{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79B6871932CB279D7C7728A9E2A22C3,SHA256=F216ECF34AC98C9353E0B803AF04A12C3444F10EDD985A2852FDAC2830490D5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036696Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:15.202{82855F7C-5E5A-6112-3107-00000000E601}26882880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050802Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.787{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C561DD75106D0EE42507EB1DD24A8857,SHA256=07EB5A817C39ECDFCD83C3E5ED1C8592522577F2A21480C728AA4A58D8633E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036726Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.844{82855F7C-5E5C-6112-3307-00000000E601}6201936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036725Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5C-6112-3307-00000000E601}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036724Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036723Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036722Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036721Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036720Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036719Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036718Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036717Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036716Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036715Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E5C-6112-3307-00000000E601}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036714Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.625{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5C-6112-3307-00000000E601}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036713Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.626{82855F7C-5E5C-6112-3307-00000000E601}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036712Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.125{82855F7C-5E5B-6112-3207-00000000E601}3692928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000050801Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.325{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txt2021-08-10 08:54:16.052 23542300x800000000000000050800Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\SiteSecurityServiceState.txtMD5=9AAEA032C1446C6752549FA068E5A70D,SHA256=298592E6CBEA9282C696B5FFE48C29EDBE9E48F9B722DD5B29AC9EFEBE7D7955,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050799Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:13.606{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64690-false10.0.1.12-8000- 23542300x800000000000000050804Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:17.801{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC42CAD73712A3F71DF7D7C64AE12FE7,SHA256=93D26AA79EC1513D6F2F3DD601B03B64DE0A947D4C23F2DECDA3DD3C94298380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036755Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.781{82855F7C-5E5D-6112-3507-00000000E601}31323052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036754Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5D-6112-3507-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036753Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036752Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036751Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036750Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036749Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036748Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036747Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036746Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036745Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036744Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E5D-6112-3507-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036743Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.625{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5D-6112-3507-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036742Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.626{82855F7C-5E5D-6112-3507-00000000E601}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036741Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.187{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43930274E68C7337F9296D2A22E6B28,SHA256=40E91B753F7921DFCB07834FE470E451EC590960FC6E278CED1106148B1B3FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036740Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.187{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2362F54702EF5E23F3ED5B43E2BAFE7,SHA256=ECAFCA481D9C2FA123582C2969EA2CC2812CF6297AC186E1F75F44090ECAD0FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036739Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E5D-6112-3407-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036738Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036737Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036736Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036735Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036734Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036733Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036732Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036731Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036730Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E5D-6112-3407-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036729Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036728Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.125{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E5D-6112-3407-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036727Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:17.126{82855F7C-5E5D-6112-3407-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050803Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:14.422{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-27465-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050813Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.832{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51C6A591137030741AFE72F066E873E,SHA256=C155B72AFA6AF60391617E9F6EF8211FFCAF1C06ED2BD56EA42EC92EBCE93533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036757Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:18.328{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D7345533DD25F0945ADCCAE0A12199,SHA256=13E3E179A873EAA5BB65C7CCA9CE20A0ED98B8473790D9B0417646E72ACBA321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036756Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:18.141{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069C9BA605400B64192B405A98BCDB2E,SHA256=9C0C596C34BA0334E1682603D1DA988789972D2B10EAD4334FAA23BF0E6A1206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050812Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.785{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050811Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.716{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000050810Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.701{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-42DD-6112-8005-00000000E501}3780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000050809Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:09:18.701{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.3780.26.173815333C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000050808Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:09:18.701{82A15F94-42DD-6112-8005-00000000E501}3780\chrome.3780.26.173815333C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000050807Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.289{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64691-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000050806Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.288{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local58686- 354300x800000000000000050805Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:16.286{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local59136- 23542300x800000000000000050816Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:19.850{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79182C35CA48D655E1B2C41110B1B28B,SHA256=631150094FEBD12A04CB299F68B387503228357229BF9DC99068BC3CE344CDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036759Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:19.172{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F55AD24CEB7788B8DB819DA02892BCE,SHA256=A93E8743382F6161B8A1775F1FEE89DF0942FE1519DDF01CEEAE98AFBE96A18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050815Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:19.670{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6B66D7FC41846B59886DF3669A42737,SHA256=CA792D3A3897D1A375CC97FE0162F4FE7D896C8530D3E79CB033782C27BA494B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050814Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:19.670{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141C269D068870E2D69794B85E93D408,SHA256=E0B5318A3CF2F8F69183BC5EB8B15A5535D975541308D53641212EE906D12A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036758Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:16.795{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050818Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:20.869{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E3EAED5BBA93A05D9BFB955C9ED19D,SHA256=F650ABCF52ADA52F101CEE7FBF038F61D8CE284B0CBAB744D8B53D0DE01A0F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036760Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:20.187{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A3C7BE9CAEF1EDFD27B6242BDC1097,SHA256=12699BADDA2027404A28F0B67DDF230212ADD2CE5BE6C58E24502FC651B9F43C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050817Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.137{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local61398- 23542300x800000000000000050824Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:21.900{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7D7E808CBFCA47CBBAD78F724F0E0D,SHA256=310623ABD1BAA47D9699F169FDB13D7F202C58FB67263C8A5C72251EB9D5E65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036761Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:21.219{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC019772D3AE5E6AF784E1C47704024,SHA256=B076BF41A8B114889B90C6416E3A0C278103FEDAF255CA3171DED220C5BF23A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050823Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.538{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local50600- 354300x800000000000000050822Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.537{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local54901- 354300x800000000000000050821Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.535{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local58385- 22542200x800000000000000050820Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.539{82A15F94-3D89-6112-C804-00000000E501}6460e11847.g.akamaiedge.net023.210.254.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000050819Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.539{82A15F94-3D89-6112-C804-00000000E501}6460www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:23.210.254.92;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000050827Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:22.915{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BCD5EC8ED9D385A833D1671CF7FD86,SHA256=52A3AC438F824326F39FE02131365CDEB9BAC93ECD97F6E649C2AC60B44FC30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036762Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:22.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8362F90FEA05A7C139B5EDDFD01A8A,SHA256=6AEFD91BA6BE00C7891C2C89F66838F176F0BCF56D5B8EB460C95E99EC653FE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050826Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.666{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64692-false10.0.1.12-8000- 354300x800000000000000050825Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:18.548{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local63035- 23542300x800000000000000050829Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:23.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008E1D0D032E6079CA4339A0B785C2CB,SHA256=DEB70F22DC8FFFF3B75D2937F6BBD3086A6475A3A793EEF75F7427C77E729EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036763Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:23.281{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EFB186C4DD691687DC6D93397C0825,SHA256=ABA63EB6E3BF0897F9A33558CD3E9FC30A2D722B71D556837171DDB54034C64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050828Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:23.667{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6B66D7FC41846B59886DF3669A42737,SHA256=CA792D3A3897D1A375CC97FE0162F4FE7D896C8530D3E79CB033782C27BA494B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050831Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:24.929{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA605C0A0FE77A19B0ECAF048DB0B08,SHA256=5A8B799D20515E4DC1B742EE64E8FB7A00E7CCBBAD8AB86B11FC6A62D01C9472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036765Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:24.312{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54606343575521165DD5C415E0D360B,SHA256=BABE3287B459B50AF061BC6187DCB3D7EEBF36C99998D5083AC24EEDAEB871AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050830Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:21.682{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-40983-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000036764Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:21.966{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050832Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:25.946{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0AA0354A9FB87F9B7E7DFB3953ACE,SHA256=92AD808CF46ED46C44F2EDE94A994B3A3AD16C7ED08EDE4649E9A0D52C0B29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036766Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:25.328{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2658F30DADFACD7DCB03EB7C6FD0916A,SHA256=DE8929153EFCAA6B73215034415BB59E1B4F3C81623A20A0205CC1336B915DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050834Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:26.997{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A03C0373804B7DCC672CA986572D00D,SHA256=25644AF6EA7C2D0AE5A9149FA62AFF51D8BADEB81D1C8D43DB7E377F329737E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036767Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:26.375{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922A51881384B8D2EF441EC8C410F8F6,SHA256=35D317FDC628F569F2310FF385DAF48D280F1E67F1C6770B4C07686E31447779,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050833Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:23.609{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-44718-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000036768Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:27.391{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6AA54151F6268000C9EDD74C0FCED4,SHA256=88F1E8E676C195780A950288A97B6B6E9D2C3A8CE3DB8672B078750E38E4B26D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050835Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:24.632{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64693-false10.0.1.12-8000- 23542300x800000000000000036769Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:28.422{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2B7DCEBAEA13F31342F6E4C9ECBCC4,SHA256=1521CEFF2AA1769382093747CCE703B643B54BB8A5E6D540975401BB4597AD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050836Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:28.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2132C3D3767C7547953AB29FB642B151,SHA256=9AEB41DE57DCFAB383D030A8EECDF22AFC32CFC62DE8AF2522EB96B46DC07D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036771Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:29.484{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F65B13CB70C57260379F38793FA2ADB,SHA256=673474542E1D87BAE1E47D823D5BA20D07E17D1A2391ADA3292079B193718BD1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000050851Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000050850Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a382e3) 13241300x800000000000000050849Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0xce5dc5f6) 13241300x800000000000000050848Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd8-0x30222df6) 13241300x800000000000000050847Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0x91e695f6) 13241300x800000000000000050846Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000050845Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00a382e3) 13241300x800000000000000050844Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dcf-0xce5dc5f6) 13241300x800000000000000050843Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd8-0x30222df6) 13241300x800000000000000050842Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:09:29.726{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0x91e695f6) 23542300x800000000000000050841Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:29.111{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A56488DB021A8A18F995CB1277BEC662,SHA256=27E188EAEE6601FA705A0C69579BBAF1922A54337D217398816D503DA216B7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050840Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:29.111{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050839Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:29.027{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F64AF8D026A1FB2A52443421580FDDC,SHA256=F09B78FFDBED022CB8A0B5F4FF220B1418DCD272E5AC5B52FE5DC6E39C3D92FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036770Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:27.935{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000050838Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:28.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40440A3864EEE2D06FC98BEF0F7A18B3,SHA256=8B22E5996692F92C257CFAAADA9466ABC55FCE9EA2ACEC4382D978E0901002F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050837Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:28.998{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69047EA5F8CA88B9D42FC8620D430F33,SHA256=42709D302819FE65195D1EDC39C66CF33E7F8009DAAF84317B6A026F858FC23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036772Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:30.495{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4000C18FEE5EB66D32273BB92AF03574,SHA256=2897D565B62CA00DA5A02C1484C37499D3DC4F165A23CF62AED944BA37867925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050853Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:30.810{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050852Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:30.064{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92609D69CB65CDF779C8F902E8CC58,SHA256=63B191DD83622C52768E1401AB760E9DBE8228D3B5EA8B8F257A9969452641D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036773Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:31.542{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546EC8B8BAE70D1B0D29E0706CC449B3,SHA256=E258886DC698C31A882D58644E96B5B810CA6B048BFE2CDCC03407E701FDC693,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050855Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:29.220{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-54718-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050854Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:31.078{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798A198B9AF0D28FA39BD4DBE933D59C,SHA256=FA8C82CCA0555B87DE03986DA596C3F9CD7F8151EE8AD32CB352EAA5DDF4492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036774Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:32.589{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D975CFB56B61317E2F4C515BFC48232,SHA256=F542725502436AA87CBF95648A376BEB3F7D11E315127CECBA5948B37BFA4C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050858Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:32.945{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40440A3864EEE2D06FC98BEF0F7A18B3,SHA256=8B22E5996692F92C257CFAAADA9466ABC55FCE9EA2ACEC4382D978E0901002F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050857Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:30.497{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64694-false10.0.1.12-8000- 23542300x800000000000000050856Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:32.093{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06497F668A1BA6A4FA25C26C0B3B6712,SHA256=020FEF9EE86E823F71B1CA9FF331716118CCF341726F1C78DB3CA75852DC7DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036775Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:33.620{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929A80E59BB12041196B4574B40FA1AB,SHA256=DF72F52A1EBC1ADF7E5C067D00A2D835189246C2399553A7AEFF37617DD4A7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050859Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:33.108{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68667C2834570512B2755790D4581B5,SHA256=8414D105F1C2FF0DA58D00FF430BCD495036BB76B6E7BCEADBA698F25B5F3542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036776Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:34.636{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E20C0BA9ED700E86512BB59D59ECE63,SHA256=C55D40BB4D1B37DAAFEBB96520C472814D600D7DFE472C65159351D5F740D024,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050866Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:31.611{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64695-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000050865Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:31.611{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64695-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000050864Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:34.244{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=9971A6A8A44A4060585348BB2C68763A,SHA256=4161D8326AE94C5A8C2BA376A6958C1826D840DD2B33BCF65BCB4CBD15BB098E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050863Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:34.243{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=134B3BD99B4C3F5472B5655E76565582,SHA256=0C7E48A300231CCE09E7FA690C101171FACD8D744D47EEDE75968B2DEACAA562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050862Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:34.242{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=6B0997F169038F7B2C0D64795FA8B224,SHA256=7F27BB1ED6C171F2409805426457775F7D85ECC2B2B06867C61F2E900186D51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050861Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:34.145{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E653556CF303CA12C7F960E0394D1CDA,SHA256=A8E3B7F9C414C6EB0C22791BC79C18D12AB6773191E7832084BFD0CA10EFAB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050860Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:34.060{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036778Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:35.698{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C331175A2530A5D0B4049D35C82FE2,SHA256=D2AF3586DC61BC248B447FB137BF252EB6DC98AE528E2729F7F2CA6D49615301,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050869Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:33.473{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64696-false10.0.1.12-8089- 354300x800000000000000050868Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:33.262{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-3407-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050867Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:35.160{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2FDE9F1EDD3AA65AB1619D33B1720C,SHA256=7D5BB931C8F90C6560D74B44C4721EC794976073ECD460DF63354F4B11557C50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036777Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:33.853{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036779Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:36.730{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A360D4AA933C8790DF06A1E8FAF3ED,SHA256=4221254DE20859346BDF61F30D7E73DDA03463F7C540191B64EABA9AEE4DDAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050870Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:36.175{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A951B692901705B7F907EC62DD913,SHA256=BF5F5EB0355D2295ED735B44264CDE097FA6AB84F9E3F414F15D1F85D90F11FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036780Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:37.761{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B2B7F02A3D4B9FEFFFE8618338D44,SHA256=37D8C0E6657867E311F003E5D81DA1E5E460A9785F6F656276B38D8530161825,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050872Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:35.609{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64697-false10.0.1.12-8000- 23542300x800000000000000050871Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:37.190{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234F0C9ED6CA4E0D6E4CD5270A9FF8CA,SHA256=84660B2D54A699658B74E542E027FD1C755555627899D6D46F1A4B3B3C3614EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036781Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:38.777{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97678D36467A8798BBA7B506BD12E9B5,SHA256=51D00B400700562E271579D92F53CA30BDF9EA8E3486C8232495077F8F663E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050877Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:38.736{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050876Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:38.736{82A15F94-3493-6112-0D00-00000000E501}9005108C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050875Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:38.205{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3ABE6F3461E41557F01E338B03D341,SHA256=41B2CF213B52B3C646E26DA360801D15F1D7180AA09F30625C34ED7055DD016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050874Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:38.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0221273409C84B6A5CD7462816CAFDB,SHA256=C8DAF6030E031D03D25C8EC8396399D95788B729BF95F6334909BA8C2F3E474E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050873Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:38.074{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE16AE65FC2C946853F09F782755AD1C,SHA256=642C7DCCE999386DE10C474F6C667BA9B3203039C03FF441FDB9FE81ADAC7952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036782Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:39.792{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FC3684E2A38D3D19BB65092F9E839,SHA256=DB6D6351AC3B705193BC50A71F7F6DB79545D93DBCF1B093D423879DB7B3B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050878Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:39.205{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68839DBCB96F41DE7E6E04074671492C,SHA256=7800E11C782112C009BB4F0B89B8CFD838F469F6230E248D09E77E3989A649D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036784Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:40.823{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7366EB37347127CF80692097C159C9,SHA256=4F5BAFA239E0C3037D1AAA2E350CC57710BD35EE81B963DB36FA027A5BC0209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050879Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:40.220{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB4C7F93A1D000B67831B570127941A,SHA256=344C3CF1FAB49967958EF43D3196DC47411C3E3D908EDDE4F9EC4514502BDD70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036783Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:39.008{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51771-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036785Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:41.870{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70F2961FB153A76865153249B88145E,SHA256=92F73EB4899E24193C97B23B38F61871CAEF530017B9E4129DD0BC2D03F924B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050881Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:39.041{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-14213-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050880Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:41.237{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475DD0D15907DB38B95684880E5C2EDB,SHA256=04F9C131F9598ADAEC6E8BC4F042B5E7CF883BDEEB3BFCB89C9A0B53896FC4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036786Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:42.917{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F940FD98071A2DDB04B79113AFF8926E,SHA256=BFDB9CCFA1372B46514C2053DAED98262D9BD68F1F1AF16F9E6062AE6CBAF116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050883Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:42.939{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0221273409C84B6A5CD7462816CAFDB,SHA256=C8DAF6030E031D03D25C8EC8396399D95788B729BF95F6334909BA8C2F3E474E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050882Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:42.271{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA45DF00A047131079A062CC94A841,SHA256=44DBA060B8D818AA92E8E18114EBC58585653B7F42637F42E02D371593127BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036787Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:43.933{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F13B31092116DBB70382B30BD4C092,SHA256=3C7993975BFEE4C78BAFAB750048FC2CE2B1916C461251DA999D8BEA589DD177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050885Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:41.506{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64698-false10.0.1.12-8000- 23542300x800000000000000050884Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:43.286{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89957C0D0D7393B5EB13EA19899A6B5,SHA256=930EB778BAB087625116CFEE9D9232212F9045BE5ED6643794CA385E2D75EAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036788Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:44.964{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B951229A21415C2B2EE571DC30DDF41,SHA256=8BBE36B06865FEF96390F4DA7E236215D6E5D6016BEEC915B1DF74E0D68DB96D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050887Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:42.686{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-22217-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050886Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:44.300{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E243F25BB7E0345A6EA2417D019B824,SHA256=5C2962D8CFB09A02D0DB004F45CD1BEC49CFD7577F48E53ADFC03411C97456BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050888Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:45.315{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F62F06892CF08530B9A68DA42D0BDDC,SHA256=7B9622688B1ABE8679EDC24875A342CD07AE8793C033A655A7A9A9A05988EB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050889Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:46.333{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0F40B2EFE47A6B6B531E45E89CE9E2,SHA256=F4E7F3AA817EEC9F0A877E8268799CE8E8DDECC6E9BDEF18B99586089199C8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036790Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:44.915{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036789Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:46.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B940AC2C5BFAEF25A9D60FA3476880C1,SHA256=6FC36D728FC9346485CFFA95362EF43C4D6877A2CD7E585E5B20DEB11375733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050891Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:47.352{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1BDBD003E7095F7554CE609C72FDB6,SHA256=BA70054A2BC5F85856E0A44B699D51749F423D93228CD22E33EB72666711B7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036791Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:47.073{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAB805FEC9E866C2A44AD2CB63FC30D,SHA256=08EF6EE246C8FA144E089AC0732C24FFA06036D2B8731F0E048103D121DDAD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050890Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:47.214{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3A7DC6930C4669C75A79680096C6D5,SHA256=5CADB9FCFB19973A17A6AA56D151A170705C86FFF58AFE340B6F0904EEE1080A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050892Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:48.366{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE086620E4AF05386903CE3A52BA2FDD,SHA256=00BFF9F301152DB6CF786D22B3C7AEFFB710CAAF9225B1C92BFD91288614CE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036792Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:48.089{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69835B97BF282FD970424C844A733895,SHA256=35D7B4CBF24744F2B1180BBEF26BBDF6131D9964ED358733E512C7250C2933BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050894Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:49.381{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0823CDC009DA02A547DDFF082A247FCD,SHA256=EB0F9BE226815DC70378DC4FED0CD76234F1681EA310A9CCFA7F51B5F82C9BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036793Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:49.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F2AFACD68FF979B38578E255EB4FDE,SHA256=BB516EFEEC31E7C9FDD10D3C411FC5F49DB8C5D9EAE43B2449DCF051D6B34C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050893Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:46.617{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64699-false10.0.1.12-8000- 23542300x800000000000000050895Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:50.396{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF74FE1EBF3C2033C108AB12695956,SHA256=802C902B4E0F496A683607C5C25484B555181ACAB7D0488AB22EF83A64D4853E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036794Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:50.190{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20963D8319F91F6107108F112C57FA1,SHA256=06A9F3DD99CAE01FF3E672DB24CF5B7EB3DD1A9DE8B1F8A7CF77A8B6E87527EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050897Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:51.429{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775FB3E8DC8BC88F127436136B8B576D,SHA256=E60FCE7D638356817F7DC3DBA637018E1818DABCDF56740B4C5336BA1B99AD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036795Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:51.190{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBAE140887A2CD0F0F737C45D4725C5,SHA256=E1A50985DD7655E8EFC8697DABDDD1E623EB54EA0154B9CF77D9C0DC7AFB8BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050896Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:48.179{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-32459-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050898Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:52.447{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA9187CB8ABC3C3C6DCFDD4CF1E56A,SHA256=024E81298A38D755792A5345CB1490B38F6574032758ED2ED080B7A7F7F23001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036796Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:52.237{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA65F3750B4820593E44E9804759AD3,SHA256=26D798B7E1356F4C693F8762136713BA44C060381282C1B9374DF361AE040B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050901Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:53.462{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7FA6744F0183E5ABF4587BE763608B,SHA256=6608EE14A7D499F929252E055EE300A302E356DD02A1C6187361394800F364C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036798Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:53.284{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9A38337864C16D8D8BDDA27164367B,SHA256=4799CD6236A916688A2C5DE8578A1C613F4E96F5CCEAC58D44A9D14E7A04584B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050900Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:53.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E4F032FCA173B8446AA360FFF5F2906,SHA256=4FFF4E7DEA23D90D85BD17BF6ACED8F8E729CC26587F8C9B80794D6CE9B74E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050899Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:53.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEC7E3CE7BAB1DB02BA805FE2387DC0C,SHA256=B17CDFB30BB0E3F606BB458135035312F22AB4D1C34E05A63B0851487C9227CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036797Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:50.861{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000050903Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:52.512{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64700-false10.0.1.12-8000- 23542300x800000000000000050902Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:54.477{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5B6712F4475AD7518A5C76272A61EB,SHA256=2301E9D5685A63274ADCDA48631843CAC5CA7A601F8CF1994AED109D61F96E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036799Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:54.315{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7974F0F0976E86433DDECD1F2CAB8005,SHA256=B4366129E681894E5613116745CC43EC43513FCB3C2AADB52A9F59E87F15DC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050912Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.493{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9E32E76A5207DBAAAF411490F0B139,SHA256=0D2EF5CA8521BE35D4AC77C3826AA147E3D20335C98FFC60C583FABD1C660522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036800Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:55.316{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FDD16BC692F0D06ADF200C562B68ED,SHA256=D342E832434821FA26D76BC8DCA7B3B4D232096CE16DBFB7763CDF3C553E8DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050911Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E83-6112-C608-00000000E501}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050910Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050909Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050908Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050907Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050906Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E83-6112-C608-00000000E501}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050905Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.408{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E83-6112-C608-00000000E501}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050904Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:55.409{82A15F94-5E83-6112-C608-00000000E501}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000050932Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E84-6112-C808-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050931Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050930Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050929Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050928Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050927Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E84-6112-C808-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050926Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E84-6112-C808-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050925Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.746{82A15F94-5E84-6112-C808-00000000E501}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050924Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.508{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E13DB4B1D8613AA36664342DB10F81,SHA256=5E1AB879079A52CA9651D661CA80F09BA1D5418F3A291869BD7DFB113475E5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036801Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:56.347{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC713DEE04716FF2EEE7480AD085D0B,SHA256=DA1359DB6E597FA76FADD326BDB508F2FE3AC5DA87034083BCE005E11D28D270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050923Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.408{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E4F032FCA173B8446AA360FFF5F2906,SHA256=4FFF4E7DEA23D90D85BD17BF6ACED8F8E729CC26587F8C9B80794D6CE9B74E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050922Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.262{82A15F94-5E84-6112-C708-00000000E501}52724564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050921Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E84-6112-C708-00000000E501}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050920Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050919Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050918Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050917Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050916Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E84-6112-C708-00000000E501}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050915Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E84-6112-C708-00000000E501}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050914Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:56.077{82A15F94-5E84-6112-C708-00000000E501}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000050913Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:53.844{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-42567-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050943Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.761{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C177AAAAC44CF4337F114625960C4DCB,SHA256=D6D93D269634202DAEA1DEBA0E5E687580DEEB537C5869C1831C6FF50F5A435F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050942Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.746{82A15F94-5E85-6112-C908-00000000E501}40724332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000050941Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.529{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B58FE30873A76E1ED70F0F3D1ACB323,SHA256=35E83B98DF2C19BC17AB6F643CB67885EB7F423687F78C1E6E708408B00C0241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036802Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:57.409{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE165337B5E11E3D85FDAC2F642F290,SHA256=E3BE1F04B4C6AE0A3F0BCA9CC13DC6C9889E4A0A0A2FC8C009BC16B48C0B2D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050940Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E85-6112-C908-00000000E501}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050939Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050938Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050937Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050936Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050935Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5E85-6112-C908-00000000E501}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050934Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E85-6112-C908-00000000E501}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050933Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.477{82A15F94-5E85-6112-C908-00000000E501}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036803Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:58.487{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B9594A5437BD171C548D98FCDFE32F,SHA256=15EE33E246D1D21C4F38B526B4AEF954DD49896350764E7B4F2C428D244C75BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050962Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.909{82A15F94-5E86-6112-CB08-00000000E501}6044640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050961Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.729{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E86-6112-CB08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050960Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.727{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050959Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.727{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050958Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.727{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050957Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.727{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050956Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.726{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E86-6112-CB08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050955Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.726{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E86-6112-CB08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050954Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.725{82A15F94-5E86-6112-CB08-00000000E501}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050953Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.546{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56877C3EE74F5A0F4FF1D39C592228EF,SHA256=B31B699961C2F2BE9714151127FD56A332645CDFA752B2D6ED49589E368B75DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000050952Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.261{82A15F94-5E86-6112-CA08-00000000E501}64366200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050951Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E86-6112-CA08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050950Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050949Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050948Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050947Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050946Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5E86-6112-CA08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050945Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.045{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E86-6112-CA08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050944Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:58.046{82A15F94-5E86-6112-CA08-00000000E501}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036805Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:59.518{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A77951BAF8FDB89155019B7C655101,SHA256=5F844A52CF987B2A6D80BD443C901C578586FE7BE7C57EA91665C0C57C596F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050972Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.593{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A151169FE3EE1A3B8BD4A1400A6D7EE,SHA256=5DE6FA145C23C5DA7311D7BE7BD72C3AA2DCED1A7B4C664E0B0EA0AEFCF02F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036804Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:09:56.813{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000050971Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5E87-6112-CC08-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050970Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050969Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050968Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050967Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050966Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-3491-6112-0500-00000000E501}420532C:\Windows\system32\csrss.exe{82A15F94-5E87-6112-CC08-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000050965Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.393{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5E87-6112-CC08-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000050964Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.394{82A15F94-5E87-6112-CC08-00000000E501}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000050963Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:59.062{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C81E8472C76CABE0761265745FA9B004,SHA256=A190BEA656B59ED228BF9EF9226B6A4618FEF0BA940CD2D702C5F0B3BF63BD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036806Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:00.581{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69874244E109605AEE7A6094C1704E25,SHA256=66615442CB6EE74F27848348DEC459EE04D79A2293A6A343B6712B45EDEF9C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050975Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:00.661{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633AFA48C347D1B17801A0391F82748C,SHA256=44ED5C867046D6D344AF0C20567E4CDCD8892E805158B63D9EF9468930A11F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050974Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:00.408{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1CADBD97070BB9EF507925DB0039D45,SHA256=9C59FDA086540959B5143109D8470E63DC7F2A56506F06791290BF08D260FEFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050973Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:09:57.657{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64701-false10.0.1.12-8000- 23542300x800000000000000036807Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:01.659{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BEF4DC9BB4DD67F4F49862027472CD,SHA256=C5B31BB8B7B7E93393A1F898F17E4C0D9E5F8D2DE9EA0DD5A36A89339A8CA8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050976Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:01.691{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A36EF83295334141EBA74FEADA3F27,SHA256=DCE99788E53854E92C816790B285A0EE0E622B7AE7B19A3E54768EC24D1D64DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050978Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:02.724{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4657E8E3D52C887B415A2258455D098F,SHA256=85D800CCB243918227B19B5A3C918B38AC5D3E80EB7EFFA4C86ACF8CC2AAAB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036808Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:02.737{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A387FED76C9F780799928BF54F07BD59,SHA256=26ADAC7117482848A3246AB2ABBCE0ABF5DF6DD649195C2AA3698C0698292D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050977Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:02.260{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B6C6C06B1C4DC70377E65B45B668C00,SHA256=ACBFE52BCBA961EFA208E60F20E54429E31C89F92B0AC9DC08BE36D193FFFA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036810Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:03.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC6436CBE3070768D6D5C4CEC5D6BFD,SHA256=2324B8E07E7ECEBB66141401EA7D7537A9A4C99F11C4DDAED025A0BE22A011AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050981Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:03.758{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8A4C3217F531DF256F6B28BAFF3789,SHA256=34777FF58F4160B46D732ACE871196E33BA64D7E0C647E39481E23A403CB1F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050980Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:01.121{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-54593-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050979Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:03.124{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=406E713322F52A3918A5D54908D372E0,SHA256=1C2C42A0802192B70A42676C05D003DBA4772047801BA7FDEDE03A0A55601FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036809Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:01.953{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036812Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:04.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434BCB9210FB60C8E15F13F5D72FA799,SHA256=2FC1325F4C0D1805198C6251A92999E2B47BC0A6957A663EF59525F50C174271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050982Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:04.789{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CC79C8B15DCD68DC1E88F4B0B6B4A7,SHA256=8D427AE61082FE65835EF1982868C94087CCDBD81D55549E08ECCE9A0932ADA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036811Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:04.393{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036814Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:05.815{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7F8E37724019B70F1553C26FA24338,SHA256=964B0F9CD09D99272C7F4D5E3B7A466CFEF06CE81E8ECC17451857C19CDB7DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050983Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:05.822{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BD4F100F426A59C96B22C5C81744D9,SHA256=6765E9BC72C35123052FBE9D14CBE0E19FFBA08D3FC2F724B22FCC88EB2BE8A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036813Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:04.141{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036815Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:06.818{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E89A9C2D131FF3BDFC9A20E121B4980,SHA256=75FEBCCE96A5C1D0F46EB8B77133FD1561431A2FEEA821BFA29ACA4C8D9A9F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050985Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:06.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE323108211ECC8157BA7229783BF989,SHA256=8CD3E7936EB306D4A0C5926EED39BC2F1E5554A8541092AE983F7441C56E3237,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050984Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:03.554{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64702-false10.0.1.12-8000- 23542300x800000000000000050987Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:07.856{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A718AE6FA1D8737008324E508561D3,SHA256=4639C2D97C12D823E5DD43A8832728C3CA46A5CC908F78DD17EC2760FD31E0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036816Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:07.851{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BAA74C392A67F2D622DFDA4C9F55D,SHA256=3C0D221B8FA3FD47EF4CA47251F66054F37D0F9DA2F063CFA5DC6F18C1E6DC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050986Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:04.774{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-3861-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050990Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:08.857{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1946C63EC6470C39B0E8839D2C11B98A,SHA256=8C2C1DB5EB6FEB39F2533827757EF2A274A5BEDDF12C63A83D5FC35222413802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036817Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:08.867{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1BEAB82B4B8E886AA368776C9D940,SHA256=998168662A5E571586BE55309993B82841900E1B144AEA75520AB5E0E3BBED6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050989Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:08.421{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165114F4998A0B085FEE434076430AA8,SHA256=5438F01DC5CF8A457648854FB3CA672DE1F56D6EF5FE31DAE28D957C760BAE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050988Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:08.420{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9F83EDD521AE833CCA9214080A9B57,SHA256=A5C3D59485D269B022F4F5FBE38A8C311F0B456297B31DDACDCC7EFD2BACAA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050991Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:09.873{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE97D650EC86342F568F891E61E8DAF,SHA256=B70C512AA1C0E8CCC64D6231DD50DD96CA1C875AF2AC1AC4F215FAFD9FAC5936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036819Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:09.867{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F7DEF07892ACB460C784394E3C4EA9,SHA256=D8220ACB26D86F6663D0D285FD9B24C39DF131F118C3F781BC4CFFB965DD7B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036818Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:07.912{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036820Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:10.929{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8661F93F393C56B43E9C52737EF919A,SHA256=C7DEF77A6EE661F737512FAA27248C0295C07866D23A4645B8DCF4EBFC6BADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050993Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:10.873{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DB43E9BCEC6189F3BD179AE2DABD23,SHA256=60F25CF2891AB975872D083EEEB301D8FD528EEEEB54477B2D5382C410243D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050992Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:07.909{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-7794-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000050995Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:11.904{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A250197218E5A1EC703EA5CEB62157,SHA256=1E5981A43C7A7F4CD774214217BED50EE9CAEC33B96A4BB81879C979FF95F5DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000050994Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:09.457{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64703-false10.0.1.12-8000- 23542300x800000000000000050996Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:12.922{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ECDD267BC5CFECB037716A3AE733F0,SHA256=D47869312D8CBFF77290E67AE6D08FF25F87A7868E1C7BF41C467CFCEAF0AFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036821Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:12.023{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7CA0028EA35EB3881ED0779C70C7EC,SHA256=6DB51C2C37A117C616CF976A24AC4BF8189EFDBFA0107BB1CB25E0DD5894EDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050997Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:13.956{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97248553482F91D1D590E9A5E70C09D8,SHA256=F392CD83C13E15618640E71898147FF99674B78F255689D51E0FB2DC28643C4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036835Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E95-6112-3607-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036834Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036833Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036832Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036831Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036830Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036829Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036828Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036827Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036826Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036825Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E95-6112-3607-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036824Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.539{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E95-6112-3607-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036823Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.540{82855F7C-5E95-6112-3607-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036822Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.039{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9F4B52B962813735E4D7A5514D7F57,SHA256=5B872BACE19409C9B9991A94BABA1F931B83EFFB1A320E22436C1744281A3DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051001Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:14.971{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FFB81748DE914117C0CA5CD20CB708,SHA256=83FC0FF8C0264CAC591D4005271BF5571F830F9D12CF7893FBC77DFCC01DD3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036866Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.961{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DB24E079A5B2798B947423BE8301A0A4,SHA256=0BEAF4854AE8920CEA4DB1CBA83C3C35177F59ADEAD0D9930A919E0561C8A265,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036865Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E96-6112-3807-00000000E601}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036864Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036863Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036862Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036861Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036860Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036859Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036858Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036857Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036856Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036855Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5E96-6112-3807-00000000E601}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036854Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.804{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E96-6112-3807-00000000E601}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036853Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.805{82855F7C-5E96-6112-3807-00000000E601}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036852Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.586{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45F06BCC46978E0365B3F43CBB468B9,SHA256=CD9243C7A74FB6BF938FB2C5FA140FC899DF791B9C8A1257F15AE9297B1C8AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036851Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.586{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD65FC7573BD7EA156BA69F47203031,SHA256=9A2DE03B65920562DB927C40913942C50000F963365F819127787BE531A7EBED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036850Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.351{82855F7C-5E96-6112-3707-00000000E601}33362984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036849Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E96-6112-3707-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036848Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036847Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036846Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036845Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036844Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036843Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036842Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036841Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036840Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036839Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E96-6112-3707-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036838Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.164{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E96-6112-3707-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036837Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.165{82855F7C-5E96-6112-3707-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036836Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:14.086{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8AF49EF38E0CCE82A67BB8F20DFDEE,SHA256=CCFCE76B49107F6FC2E9D20F5B3C3ECA16DF3449C665DD2EF3FC54824B79F1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051000Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:11.908{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000050999Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:14.456{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D920C3415F5AF31B2653613C50A3DA5,SHA256=97C1291A997514172A6BDF19EFA0144CBE9D19CFDB2CB959F49C3B5DD4EA770F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000050998Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:14.456{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165114F4998A0B085FEE434076430AA8,SHA256=5438F01DC5CF8A457648854FB3CA672DE1F56D6EF5FE31DAE28D957C760BAE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051002Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:15.987{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E774D38AF718309B8C38153DEEB6EBB,SHA256=DB336564E8C7C5C7AD5205685615C5ED0487BD61137E51581B68B133A13F0D3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036881Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E97-6112-3907-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036880Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036879Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036878Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036877Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036876Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036875Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036874Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036873Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036872Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036871Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E97-6112-3907-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036870Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.945{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E97-6112-3907-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036869Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.946{82855F7C-5E97-6112-3907-00000000E601}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036868Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.804{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45F06BCC46978E0365B3F43CBB468B9,SHA256=CD9243C7A74FB6BF938FB2C5FA140FC899DF791B9C8A1257F15AE9297B1C8AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036867Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:15.164{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED0E39C2A4C2AB06858D8C4C9490602,SHA256=765057A718FA23A885969C6C926C2F32BEEAA9B7046DF63792520BB71B5084F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036911Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E98-6112-3B07-00000000E601}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036910Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036909Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036908Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036907Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036906Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036905Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036904Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036903Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036902Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036901Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E98-6112-3B07-00000000E601}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036900Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.961{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E98-6112-3B07-00000000E601}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036899Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.962{82855F7C-5E98-6112-3B07-00000000E601}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036898Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.726{82855F7C-5E98-6112-3A07-00000000E601}35081220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036897Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E98-6112-3A07-00000000E601}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036896Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036895Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036894Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036893Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036892Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036891Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036890Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036889Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036888Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036887Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5E98-6112-3A07-00000000E601}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036886Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.461{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E98-6112-3A07-00000000E601}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036885Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.462{82855F7C-5E98-6112-3A07-00000000E601}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036884Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.195{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44671D4FFAC188BA4003D43B1E6194A2,SHA256=10829A3FAA0D8818160DA622030C72BE1357ED03FC9A2AD66D3A0715F877E364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036883Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:16.180{82855F7C-5E97-6112-3907-00000000E601}38884060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000051003Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:13.947{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-20144-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000036882Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:13.848{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036927Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF91BC8F354E42D743786BF8C4D6651,SHA256=37076DAB6F4BA24EE2DE6CC402EB849F183AED837E5A863D85AAC9E023EF8828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036926Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5E99-6112-3C07-00000000E601}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036925Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036924Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036923Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036922Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036921Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036920Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036919Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036918Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036917Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036916Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5E99-6112-3C07-00000000E601}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036915Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.461{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5E99-6112-3C07-00000000E601}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036914Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.462{82855F7C-5E99-6112-3C07-00000000E601}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051018Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.986{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051017Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.986{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051016Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.970{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051015Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.970{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051014Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.902{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051013Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.902{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051012Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.886{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051011Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.622{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D920C3415F5AF31B2653613C50A3DA5,SHA256=97C1291A997514172A6BDF19EFA0144CBE9D19CFDB2CB959F49C3B5DD4EA770F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051010Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:14.536{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64704-false10.0.1.12-8000- 23542300x800000000000000051009Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.202{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051008Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.155{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000051007Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.155{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-CA04-00000000E501}6944C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000051006Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:10:17.155{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6944.20.135668331C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051005Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:10:17.155{82A15F94-3D8B-6112-CA04-00000000E501}6944\chrome.6944.20.135668331C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000051004Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.002{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAECCE476FE281DB436AC193E4E07BD,SHA256=450EE313801C2C01BA7E7F81F7CBA3E3CBA6653EE8CF3E56C133681B8FCD52CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036913Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.180{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2C1828D7322A91366F1EC86BEE07904,SHA256=4DE169FB26287CB82A25794696A3CB55F9CAAB1D0F600F4D4FC2AEB2BEF72DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036912Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:17.180{82855F7C-5E98-6112-3B07-00000000E601}2492892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036929Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:18.695{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6496A0FE625D794EF0FF1CB392F0B05,SHA256=93551300AEBD63B89601992AD057859BB00608C76E42234667D8F2DBCA354219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036928Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:18.492{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9165597B07AD2183DFFD6A95B23EEBDF,SHA256=F118BBA5C4DE89F70605AD8B9FA765534784AEFBF7DADAD1188B1DF8B59B0F2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051020Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:16.659{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64705-false104.244.42.193-443https 23542300x800000000000000051019Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:18.024{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC68D3DDB60F7430C07963CB256AD46F,SHA256=EBD7374B06662D0AE935449519CB439455C3AD1CAC4C740C04BDC8F03E759F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036930Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:19.508{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92C0F3B720CCD01DD8F0FFE35468CC,SHA256=7DF350806BF1CF19FA58B568386861350DA1DC1AE72439D887E002AD77BECA5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051022Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:17.377{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-15.attackrange.local64706-false192.229.233.50-443https 23542300x800000000000000051021Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:19.071{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66029C26017045EF5B7A9B6444F1D78A,SHA256=5765291B2A9654B40D7ACDEDAF0D31E743D8FD8DA1C5E6295DE316236952D451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036931Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:20.523{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB946B097AAA24826C4DD90F01515F91,SHA256=FF9E4CD7BA2696BDFFC0AD87B6058221BAE36FA4A82ED2246004285B1A9466D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051023Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:20.072{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF9E33FE896E362B051877721474339,SHA256=2B0D6E15DAD0DB096E43EE885ED31ED80A96EB481930AA8F6E7419F2333B3555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036932Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:21.539{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45B3E9220A6B5D3D491456736FF22F1,SHA256=0A1C1C3AA7894318ACC318B5D8A4885993914DA6EB9F0327C6ECB5C4BBFEA81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051026Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:19.637{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64707-false10.0.1.12-8000- 354300x800000000000000051025Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:19.623{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-30340-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051024Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:21.087{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8E6F595BA536AFBB0D3C5985660877,SHA256=EFABED8534E4D21271734C91C0EDF37C0BBC038D80DF869B32AC501416B18992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036934Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:22.601{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06A1A6462E1BAAEEA3C0C197C4B4E92,SHA256=D4EFA72DA85EC9BEA5DCDE9064609E79CF7489A4FDAD99336D50A6E6DD13C98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051027Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:22.102{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F96843447477E36A803375F5C4A0678,SHA256=550C6F7BF4FD158F41444ECD5168F5BFB8268CA9A324DD34D8A07A8963F79EE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036933Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:19.848{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036935Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:23.633{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88DDDB3E0DD0A078DD660B5080AEF7F,SHA256=EE2736FCC7E1E19B1FD5C14F46C481D8DFCF63ED6062767A2DC52497756FE530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051030Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:23.538{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EFE7C428C11C644C63708D31825EACC,SHA256=AD315ECF4C1C90A48851321FC6E1755EC1AA33EB0E3E8130ED913AB62F136903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051029Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:23.538{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03AA8C45EB6C7E619D1019D916F1436E,SHA256=3381639934465C4077E701241522E7B2EA8A7124D1CFFF62D76931812C55F774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051028Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:23.119{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56554CE419DFD35AA696710A8FB24E6,SHA256=BCB8A4977F6E80ACA617599575B4AF17DEA57A48EFE6B2992ABA750405BDC3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036936Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:24.679{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16BC7BED5E7C9CED43850FAB63F9DFC,SHA256=CD5819E4E92C5296F26D0266277660FB8AAA98EF37E0428CADE37A423F131460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051031Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:24.137{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE59F8685D409AA302049A89D0884A7,SHA256=6F2ADF3C795F6142F466DC3EAD9EFDAA630A17DBF7D8B42F39950FF40CC30B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036937Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:25.726{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79995DDD10F20BCE5EA4223C7065BD5D,SHA256=E8AE3CA9B64A93B004F3FB8D0A6F9C8C6AE2FC7398C511D873C3AD039AA4358D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051032Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:25.184{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8877418F7621466AE28F9605F61CD1B,SHA256=35768723B1B332ECED14AD3D666E9807A96A6B79F3FD483DD6DE46E65E631763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036938Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:26.742{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF76A08F41233168EC2B7808B22AC3EF,SHA256=A121B4EC7295837021798A25D0B71058F5D6093357A80B3D02D7661BC8E4E332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051033Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:26.198{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B299910D8896C170DE52429CEB8D00,SHA256=BF24795588FB9B90A739F1B3E1037CCCC7C831CA33A60161091EB8A0CBB45709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036940Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:27.773{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EB4A5F6BBDBF631E190A908A99901D,SHA256=02283B28B777866FF47BE12D6CD4CE6B222E3D1A8EE0C0485580BF4521A551AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051036Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:25.532{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64708-false10.0.1.12-8000- 354300x800000000000000051035Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:25.404{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-41447-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051034Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:27.215{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DF9516343C6D6D590FD0745A061D7A,SHA256=B01E4286F7CAAB80A22E18E4F421995E412FB196ACD883E8F8D8E79CF12C73B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036939Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:24.989{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036941Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:28.789{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC67296C59C6228DB26754944E8FC2A,SHA256=705D53B44830ED3CC87CD77CE6A5DF93944CCB08854BCCCDECD8B805B7EA1135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051037Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:28.218{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECAB9D29A64E2E7BCB128DC57E71B4C,SHA256=EAF33F6C0194A82515062B6A72A87B34CA5FF4FF423C3EFEA8ECE6548B5FB15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036942Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:29.808{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3B0A08D217825DA0CAC927AF1E9A94,SHA256=CF00D9B492B7E0FEB90F68ABAE6AF9ABCFBAE3E9B0C8DA6AAB7C2232876E8A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051040Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:29.249{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1691DD6A8D5D6F8FB4E201D8554DCDC1,SHA256=1EB8099610E975E3E3EF8B35DB726DCB2CECD22409648D9F9AC18EC75D126C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051039Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:29.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEB38DE4171BBCBC6ACAB9B6254F5FD3,SHA256=67A5967EF3CD6ECAEAEC7CBFF5A5F1BEAE0FF6AFA75436E9BB7205B561F4391F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051038Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:29.233{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EFE7C428C11C644C63708D31825EACC,SHA256=AD315ECF4C1C90A48851321FC6E1755EC1AA33EB0E3E8130ED913AB62F136903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036943Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:30.871{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6B0FB35A7625488D92EBC76DCA2F7,SHA256=57DB163205FF728FDF746BB1CBE112611C7A1D66E1442EA071C39B821BB5BA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051041Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:30.264{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF6441FFAB64A20FEBEECA7A1F4476B,SHA256=72126451CEDF9C39AA5A57D08EB261276B315D3DE4425213A775227E5E39A751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036944Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:31.886{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD794B7CC524DEB8648244B7863B800,SHA256=1BC25DB7CA71BF5D3310BAE9B3207D02473F1C4285A7E7D0A6EDAB99581DBF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051042Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:31.265{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C39120C29D95DEA7A33E87A1EC5D689,SHA256=25E465CAEE5ED59B98C7BABA4412870B1CAFF83EA543B86B3D72B77385887112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036946Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:32.933{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9054EC41EA52C53185F3A499718C0F,SHA256=A16A8A2871D0EF3EC35DEE251DAA44E1D0A4077721CD97ACFAEBFFE4F303ADB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051044Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:32.932{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051043Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:32.295{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1369274ABD56EAB51818AC4B2FE6E754,SHA256=32BF94B7F1A29CCD6E2C9F46434AEACF8FE9B44AFC6102A8A654B5D0F280526D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036945Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:30.836{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036947Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:33.949{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87EA1D63B8B73B46919CEBE91EFF8A8,SHA256=49B74279E69ED299AEED16E6A352054FABE5434DF5864A2E547E555BEDA12CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051048Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:33.349{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BA3F2EDCC49EFC1B485E400F50AA24,SHA256=00E499DE06AA4DF8DAB5C3DE4D905C33B95DD16A1E803B66A9E033EFF39926C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051047Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:33.196{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEB38DE4171BBCBC6ACAB9B6254F5FD3,SHA256=67A5967EF3CD6ECAEAEC7CBFF5A5F1BEAE0FF6AFA75436E9BB7205B561F4391F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051046Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:30.667{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64709-false10.0.1.12-8000- 354300x800000000000000051045Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:30.660{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-51695-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000036948Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:34.965{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7F6A2D0B4C307F805E7F88F5FBA950,SHA256=E9F248C62B273A280A6D0D899743E4233DFB2DCB96D6373B0BB5F5D8ECB40681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051052Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:34.395{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C246777279F929AEF21EB2C795FD89B8,SHA256=66E56943FED7B90577379098F60641DAF2628AF5CDF4F73BDE997C4DDA7EA62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051051Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:34.080{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051050Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:31.629{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64710-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000051049Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:31.629{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local64710-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000051054Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:35.431{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24256ABA58051E02B8BCC4FEB9B41891,SHA256=3BDE3756C0C62547551F219D8CD75BE3FD7A6399BF7F38065D7F2B6ED842EB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051053Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:35.063{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7B2E72966D08850A96515513ED736D6,SHA256=B1B6C3E368AAB514C30AD298F92863B2A49CBC5F247F3B1CBA4918432F3C1D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051056Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:36.494{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755C8EC623785B736B0784C5B8CEC8EF,SHA256=86BADBA55902696FAC3D1CD85CC0E1609518B1143A062FBA92674B98A5B47776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036949Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:36.027{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708E6CFB2CDC3C694156AC260CDBEDC0,SHA256=489601DCE6F13369946AA2A4721FF89C9103F9DAB6D2D1B0847FDCBB4C81AC15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051055Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:33.498{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64711-false10.0.1.12-8089- 23542300x800000000000000051057Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:37.511{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7193352509CF081C161754B9E574C8A2,SHA256=1360C0F2C86D76C0C43DFCE1C3FF7AF5AD26F4F9289A304B5B4C6F6EF7BEE2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036950Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:37.058{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE2B7F054BB2CFF141C662B70E07BBA,SHA256=B473F6447CAECD505FE24EB19BCCB83A5ABBFFBA0D20713C399B97840A08DD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051058Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:38.516{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4267C76E67CD39368063D023D80B7C9D,SHA256=9D1B0BA3A5FE22D5598CBFA88F3365894A6530EE465D9AD7B4F7BF77D382F897,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036952Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:36.852{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036951Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:38.105{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BD14358032C23A1A448D0BB4ED746D,SHA256=1696A677D7C24DC2A95196EF82E1585D4B4B4DA951C07A3E435CE428E5E3D189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051061Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:39.535{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C53C978B5298C40DB1D20BE9D86516,SHA256=D83D3FFAA7FA736687AC674B8428E40C760FD1BFCEBDE188BE9546B6B55B57B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036953Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:39.168{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E217190EA4FAACDACEF1F71E233747DD,SHA256=BDC207520FBC60DF93FC0D93500DAA8A12489D96CCFF627E7260998BBD6A744B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051060Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:36.642{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64712-false10.0.1.12-8000- 354300x800000000000000051059Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:36.438{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-3315-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051064Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:40.765{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA3FBC2BCBD438B16EE9D58C5225A3E,SHA256=1BA070BF2ABF45C894FE5473E10A47AF62C8C6DC162BFCBF9F2022B41FCC2B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051063Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:40.765{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C2B0C1AF81F7390A467C930A5D6C54,SHA256=5BB21BB1FC892A7B2BAABCD896D0F96A57B445F74BD2DA4E7F683B6AAF0CEAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051062Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:40.550{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B82340ACA72AF37BBBD65C2AF6E8ACF,SHA256=DEB5E0BD57E2AB2DF3B2F3C41CD53F8B7FA54D21A6E880C23C2ACFEE19BDFDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036954Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:40.199{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6AB5CEB61F2E4C5898D54A1F4CBC17,SHA256=AE124C8029AD7450783B9B76E959BBED62DB970743E2A7288DC9C20923F94B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051065Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:41.564{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA994D32687425BF9EDB7A375598213C,SHA256=39A6BB112CF676D74887A0A97C91A418C047174FAA5A1A4643C9010AA5C88CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036955Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:41.246{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70952414C2D82C3BFD2C29892941FE,SHA256=A37FCD6876115A0EA2F4B17A24530690A2D2078AEB9BE202A16730F90DCC7E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051066Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:42.579{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07704218E1F6E566DA6FE310A9940E00,SHA256=2F619F488AA68D476EBDFC8E148F609BC94D0F7DC6108F277340DF0FE417AFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036956Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:42.261{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9394F888C8FFB6342B3A7F65295D2B6D,SHA256=B25FF168013F2CD25BB761FD465C8B759BA19B4DB46CE1DFEFF09ADB3197CF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051067Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:43.594{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0607438B22CF9C837A8074CDA5C95626,SHA256=321304632BE0200612AB074E2DBF96152BC6D0021EAE261F028F6B2898A5806A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036958Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:42.024{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51783-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036957Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:43.293{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208C0027D49080D4E1CAC8C1FD104C70,SHA256=3E6630869ACE1B74DC7DE623AFEA220A8F43033EBE20DBF8D7B7FE5FA3679721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051069Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:44.631{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8DDD19B3E24810DC8048B03220836E,SHA256=C31958E4A6E124DCA2F511AF4B149FCFE55628B53C8C5EDE3CCBA758412E31FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036959Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:44.308{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C5BA40898A1C6392C457030CEB929,SHA256=2E6242BAB13DA5AFE0A657F459E241692D788BC373A9EC069B63E06BD75445A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051068Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:42.108{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-13588-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051071Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:45.645{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24627565E8EF0AFCE5EC99062BB4853,SHA256=F521B3036701D9C3670B582A35D78969A7A9DC2742C7A25DA3C83D2417AB5E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036960Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:45.324{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32FF955512F0CC7884344D6AC871AD3,SHA256=66E6AAA2CA8DF601E3ADC1CB1953FE28D8EAAC1AF1D4BACB0FEFB249441DBB79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051070Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:42.512{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64713-false10.0.1.12-8000- 23542300x800000000000000051074Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:46.660{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5671574D8AF1803906494100D8F7A54,SHA256=1A8B016170333F257215940B487D0DBD8E00DB94E98A677F9F2730A4F61698D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036961Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:46.418{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5CD2ABBE22BBBFBE2FD0FCFACB6408,SHA256=2274EB870FC66E98EB96B493D314AFAA729A252E6C80CC14B3612D92A72F59F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051073Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:46.410{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2CEEC36513D9BEA7665598294C0A032,SHA256=78ABDBB4F743E416BF6B36DDD21407445D9305D7AA123BAF92129A9D6B2D735B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051072Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:46.409{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA3FBC2BCBD438B16EE9D58C5225A3E,SHA256=1BA070BF2ABF45C894FE5473E10A47AF62C8C6DC162BFCBF9F2022B41FCC2B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051075Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:47.661{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E782DF53FB12950A0886101EC1CBD0BE,SHA256=6676054D0A5BC19BABACEE770D9568BE85146A27CB2F0DEDFBB5B87F0888CB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036962Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:47.433{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778E2D83F50D40FA10513F49934A9DFB,SHA256=D2BC6F2294727F4967F9E2DDBBC80E084CD54580683C45B18434ABFFB1755D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051076Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:48.691{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0813EB5AB7D88E76736A5E2E733D4D,SHA256=8ED3F0764789AC068B6ACD1A2193FFAE8132D69C8CE6D4F0EAF5973913CBB068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036963Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:48.449{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0011AA3255FBDC91450F636E5006A810,SHA256=4B990710A4C2A9D422276CFD0FE5C53729738FE3B1BA98C72FFC6B93ABAAEEF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036965Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:47.774{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036964Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:49.465{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F00EEDFF9B8DF54D280486A01755898,SHA256=6F35B009E2B49309C9D04E8ADEF1C06124A199C89C94B4F3F25120D558DE4F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051078Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:49.692{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD57D53484D480CBFF0F7754F49097F8,SHA256=6790B78F8B74DE0DFB5C270634AE6BDB0FDD3DE7064F8A7FDC9084DA9EF601DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051077Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:46.623{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-19739-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051080Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:50.708{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDFC61FFEC165876159B93B136F07BD,SHA256=400889F71EEA2FFD36EFD91F8C2CC176F17A7F08B52A6A94B6D17801F3A4B598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036966Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:50.519{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED16D4921C4FE0B3A456EA7B0CB462,SHA256=77F88D68DAA09C03E65D284AF1B748A2637BB5F40926F7211B54A101974D82C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051079Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:50.274{82A15F94-3DE5-6112-D804-00000000E501}5632ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5632.xml~RFa4bd85.TMPMD5=91B138C9CD367DEDFFB313A37C7B531D,SHA256=FA93915FD8209EF3D4E2A6C6DEB172637C48FC201A0282C79FF7A11B4C0BDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051083Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:51.727{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42FEF3791FA4C1727E46929E97F799D,SHA256=B9B392E29F756667144519952C102FB5A24C181B111DFA1969F4DABE6D07C447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036967Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:51.535{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A244A9F1BB8E5536CC0CDA7F2156CE2,SHA256=D61FF01AABB2F996F0BE598EF3221B6108FEE11864942982AE8D24723401633A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051082Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:48.540{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64714-false10.0.1.12-8000- 23542300x800000000000000051081Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:51.359{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2CEEC36513D9BEA7665598294C0A032,SHA256=78ABDBB4F743E416BF6B36DDD21407445D9305D7AA123BAF92129A9D6B2D735B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051084Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:52.742{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C15BB6C77BF293492B5FA9F297B36C2,SHA256=F128FFD864A9D5F411043B62E954F328D2662EDAF6AD96E214A379D6652EECA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036968Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:52.566{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA47D3F57976177F3962CB528BCA792,SHA256=6D1CD904CA9914981CA29F240A269BBD7676C38FEA26BB66FDDAA8B4F5AC8B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051085Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:53.757{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5C86052E26B841C98571AE45D1E661,SHA256=A786AD8ED8FDA37A12776C517820810F048EE47C64A898831F1BEE27BFC95F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036969Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:53.582{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3E4DE492A3756114A39F9EE95B40EE,SHA256=76F58B0203FFA50A915B8C3A40A624888469AD5910B68043536CE4E1D5B4AF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036970Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:54.707{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2285CA170F2E92D0E658BADF628EFF,SHA256=75743C18654F5596490D8DD4FC3146113A2422188C709FECC68D5D3B68064B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051087Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:54.787{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D0F465C9D93A17409C3CF30BCA76EF,SHA256=8FA9494AC3E4DC7A2700E9613A3714DDE337E618452F21B3E86F287FB855865E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051086Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:51.788{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-28969-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 10341000x800000000000000051105Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EBF-6112-CE08-00000000E501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051104Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051103Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051102Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051101Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051100Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5EBF-6112-CE08-00000000E501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051099Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.971{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EBF-6112-CE08-00000000E501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051098Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.972{82A15F94-5EBF-6112-CE08-00000000E501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051097Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.955{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE3D114E8A64E0AA9B44C3A80A7DA6FB,SHA256=76438A302A618623C3B25C45BB84BEB39CC162895F25716B3DEF8585B0E460CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051096Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.824{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60424ABB974E1446CCF024B4AC402B5,SHA256=10A1E2AD8007190E07564D203B301D0090A628FFB9CD61B1D316F0357FF2AD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036971Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:55.722{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B64480B4F6BBE0FC21A604B19C5F7B,SHA256=B77112FED0496BBC1114557CA87D92B58DDE964BEBE7BCE836CFC2FFB985D2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051095Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EBF-6112-CD08-00000000E501}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051094Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051093Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051092Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051091Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051090Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5EBF-6112-CD08-00000000E501}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051089Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.424{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EBF-6112-CD08-00000000E501}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051088Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:55.425{82A15F94-5EBF-6112-CD08-00000000E501}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051117Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.987{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED5A3EC0C3D58DC582DCB1C0B1EB804,SHA256=9C6FCDBD7DAC8BD57A50D79F5EE702D8E84DAD68E432E950210818311AF9F516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051116Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.825{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45102E818431F337271054FE10C918C,SHA256=F2AF1D916CC1D7A67E857E71A5793E4165DA451CF17F195FDD215252608E9F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036972Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:56.738{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB77B885FDE6D737997EFC0A9002521,SHA256=FECA9D4989F4B7D04A0535CD7E7E9D856650F744FEB3BBB5D68C2378FCBCCC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051115Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EC0-6112-CF08-00000000E501}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051114Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051113Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051112Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051111Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051110Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5EC0-6112-CF08-00000000E501}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051109Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.641{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EC0-6112-CF08-00000000E501}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051108Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.642{82A15F94-5EC0-6112-CF08-00000000E501}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000051107Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:54.558{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64715-false10.0.1.12-8000- 10341000x800000000000000051106Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.157{82A15F94-5EBF-6112-CE08-00000000E501}35327060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000036974Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:57.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889182DB8FFF3476D3CE66C88384B4A,SHA256=B6ECC1BB723FE56676934AEFB5DF5ED2B4FC9A00DCBAE9DDAB32EF7E1929D198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051127Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.826{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56E7FD6EE3BC4FCDED0DF22601CC5C7,SHA256=1FE445D95EB1B9259D7C727ADDAF077863B0D28AED7098A08E45518430464F98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051126Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.689{82A15F94-5EC1-6112-D008-00000000E501}65723880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051125Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EC1-6112-D008-00000000E501}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051124Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051123Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051122Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051121Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051120Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5EC1-6112-D008-00000000E501}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051119Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.471{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EC1-6112-D008-00000000E501}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051118Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:57.472{82A15F94-5EC1-6112-D008-00000000E501}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036973Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:53.812{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036975Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:58.753{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA9DECBCA430EC04EDBA1B17C9AF107,SHA256=0DADAEF7D808D674A191A9ED0DAF2D815F12AED5DFF6BC13C6815ADA8774AD58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051148Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.988{82A15F94-5EC2-6112-D208-00000000E501}61726492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051147Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.926{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-348E-6112-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000051146Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.842{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA8BBE0BBA2D6D5B830D3663B435ACA,SHA256=3D79EF477E6CC948033E5E0BC20C232D412FC92556867D84349F0D6267DD06C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051145Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EC2-6112-D208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051144Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051143Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051142Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051141Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051140Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5EC2-6112-D208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051139Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.826{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EC2-6112-D208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051138Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.827{82A15F94-5EC2-6112-D208-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051137Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.489{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B8F4F3AFA9C3751CC23A33BD93B7D86,SHA256=5BDF4A4DF6A43F0E9D2C6EC9CD36E8F02230394AFEE538C190E7BF4AB02BFC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051136Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.358{82A15F94-5EC2-6112-D108-00000000E501}46726812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051135Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EC2-6112-D108-00000000E501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051134Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051133Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051132Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051131Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051130Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5EC2-6112-D108-00000000E501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051129Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.157{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EC2-6112-D108-00000000E501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051128Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.158{82A15F94-5EC2-6112-D108-00000000E501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051159Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.853{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A3C2CD128324B2AAF4CB9A77DE0160,SHA256=A7FF825A175EC8B86B7563B04E6599464AE3A6DC0C88DCCEDD9A02FC983012D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036976Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:59.769{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0265D773B82079366C5E3FC511B3DB,SHA256=B6B34FEF63F74B22429053B94F20C51CC65E94358973A84ADBD93DFE2FB1705F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051158Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.837{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20B8A4297602A948CD677CB415A2ADB,SHA256=F0B6F71F6F188BFDC5E5F1A0C1A0C027DBD63B605FC5DEEA19402B68A072CDCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051157Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:56.699{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-39057-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 10341000x800000000000000051156Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.509{82A15F94-353A-6112-B500-00000000E501}14804460C:\Windows\system32\conhost.exe{82A15F94-5EC3-6112-D308-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051155Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.507{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051154Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.507{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051153Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.507{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051152Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.507{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051151Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.506{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5EC3-6112-D308-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051150Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.506{82A15F94-353A-6112-B100-00000000E501}38084328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82A15F94-5EC3-6112-D308-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051149Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:59.505{82A15F94-5EC3-6112-D308-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036977Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:00.785{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B52B107127BC47CDB4C5F6D4C843A6,SHA256=AE90A2047F37F60DC8BEE6FE2C846B6FA07A8B7C9E9BABCAF5F0067EA2C5943B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051162Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.883{82A15F94-3494-6112-1600-00000000E501}12883932C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051161Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.883{82A15F94-3494-6112-1600-00000000E501}12883932C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2C00-00000000E501}2928C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051160Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.883{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7712370B43B5701A9379554E35749F4B,SHA256=8A55C98A28433FC2F81B49ED1B9575435A5BDF688DF0EA3DD9D76D1BDCFC0114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036979Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:01.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51910794F89AC567E2E20A37BC039E72,SHA256=1CCD627B987C14F51C2FE38BAD501B00E05934BFE9F685DF509E0657F196F900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051178Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:01.898{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579DC4076EEE26FC1AB4696108477291,SHA256=735EB339B06709E243BD75C943F9D042EEB0A021117C42346A0E50135B1F4143,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036978Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:10:58.984{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000051177Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.360{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64716-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 354300x800000000000000051176Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:10:58.360{82A15F94-348E-6112-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local64716-truefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local445microsoft-ds 23542300x800000000000000051175Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:01.298{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC120F582FD98419E2F8B660F7919613,SHA256=8E2DF030F59C73814175C38147AA185193949BE431C689597E21E6183A9EBB6D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000051174Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000051173Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000051172Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\AddressTypeDWORD (0x00000000) 13241300x800000000000000051171Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\LeaseTerminatesTimeDWORD (0x61126cd5) 13241300x800000000000000051170Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\T2DWORD (0x61126b13) 13241300x800000000000000051169Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\T1DWORD (0x611265cd) 13241300x800000000000000051168Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\LeaseObtainedTimeDWORD (0x61125ec5) 13241300x800000000000000051167Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\LeaseDWORD (0x00000e10) 13241300x800000000000000051166Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\DhcpServer10.0.1.1 13241300x800000000000000051165Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\DhcpSubnetMask255.255.255.0 13241300x800000000000000051164Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\DhcpIPAddress10.0.1.14 13241300x800000000000000051163Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:01.116{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79b4ca41-8094-42db-8246-01ed978d5984}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000036980Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:02.800{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02018243C5013875FCDAB9414BEEC96,SHA256=F5978ECEC0C1CA436E2D97FFAD4AFBFC0575AC29C566968D40BD16B221C87773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051184Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.917{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3812C2A5EF34697B10C8B62AD150D92,SHA256=8526F312CD8D03930FBE24AC4F0B1FB539799196D28BF00D963586B3E333B9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051183Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.555{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:c000:488d:9830:9dad:8bde:ffff-60491-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000051182Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.554{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4d93:4bc3:d9a9:7331win-dc-15.attackrange.local60491-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000051181Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.548{82A15F94-3493-6112-1100-00000000E501}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-15.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x800000000000000051180Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:00.501{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local64717-false10.0.1.12-8000- 23542300x800000000000000051179Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.266{82A15F94-3493-6112-1100-00000000E501}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D4E0F06582681FAD197CC23698439DF2,SHA256=BB4B3F623F05F413BCE1C9859A87D9F3302D3C3F003E19670DAA0AEE7678BE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051199Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:03.934{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E764288F99375321E1846CDC57F41A,SHA256=64AB3453AC89A1C4FD70F2638ED6739315F03C218219005899DE673912FF4764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036981Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:03.816{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA837111CF6CE537A5394081FE198DE,SHA256=8A099DFC1BBBB7F39FED54B6B481E91018E58109DB6209A8AF7E711BA5F33A91,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000051198Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000051197Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000051196Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000051195Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\FlagsDWORD (0x00000002) 13241300x800000000000000051194Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\TtlDWORD (0x000004b0) 13241300x800000000000000051193Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\SentPriUpdateToIpBinary Data 13241300x800000000000000051192Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\SentUpdateToIpBinary Data 13241300x800000000000000051191Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\DnsServersBinary Data 13241300x800000000000000051190Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\HostAddrsBinary Data 13241300x800000000000000051189Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\PrimaryDomainNameattackrange.local 13241300x800000000000000051188Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\AdapterDomainName(Empty) 13241300x800000000000000051187Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\Hostnamewin-dc-15 10341000x800000000000000051186Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:03.134{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000051185Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:03.134{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{79B4CA41-8094-42DB-8246-01ED978D5984}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000051218Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:04.949{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EC87ADFB7563769C76EC0643AF2386,SHA256=D2247B83BA866F93F9D1B938544CC8D8F570B533E9A54AB5AF309AA5986FA22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036983Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:04.832{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BEE3A2AF0ECAFAF7C47BD39A45CC43,SHA256=3914EE34CF251084C1A7E2D09E153724E16DC101FA1A7BBEC14AD0A99A36F31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051217Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.580{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local56335- 354300x800000000000000051216Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.580{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local54301-false10.0.1.14win-dc-15.attackrange.local53domain 354300x800000000000000051215Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.580{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local54301- 354300x800000000000000051214Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.580{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:c000:488d:9830:9dad:8bde:ffff-54301-truea00:10e:0:0:0:0:0:0win-dc-15.attackrange.local53domain 354300x800000000000000051213Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.579{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60424- 354300x800000000000000051212Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.579{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57464- 354300x800000000000000051211Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.579{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local57464-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domain 354300x800000000000000051210Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.578{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local59208- 354300x800000000000000051209Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.575{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51191-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000051208Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.575{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51191-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000051207Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.574{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local59652- 354300x800000000000000051206Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.573{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-15.attackrange.local51190-false10.0.1.14win-dc-15.attackrange.local53domain 354300x800000000000000051205Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.573{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-15.attackrange.local51190-false10.0.1.14win-dc-15.attackrange.local53domain 354300x800000000000000051204Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.571{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-15.attackrange.local53domainfalse10.0.1.14win-dc-15.attackrange.local53847- 354300x800000000000000051203Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.571{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-15.attackrange.local53847-false10.0.1.14win-dc-15.attackrange.local53domain 354300x800000000000000051202Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.570{82A15F94-34A4-6112-2A00-00000000E501}2896C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local60224- 354300x800000000000000051201Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:02.400{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-49799-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051200Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:04.149{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1968833536D8128FA309FD4B962CEDF4,SHA256=AA2F0AD947845D51E5BED299A17D7C273C8B663662C3C3BBF5621B71802D4A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036982Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:04.425{82855F7C-36F1-6112-9800-00000000E601}3912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036984Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:05.847{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6778F3774224341953BF78D990F281C,SHA256=91120E067A2DFDC85B8CC12738DE8C8180029765BB4C1C4CE93C7E67AC284E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051219Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:05.980{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE7E3698490AA6D76A247F6F76F8A41,SHA256=606C7E6AFEA89FC5D74405833EF9E3F5B549E25A64F2108742DB3BB89A0B6814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036987Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:06.849{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2999416EEB119CFBDBEC0030E2D743,SHA256=F6BE140E19E1115C578C72C8E0D80FF4D6E938D97738B14AD8D2E43050A22EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051220Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:06.995{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F6428146A3274CCFA467BC4D6124F9,SHA256=6BE9F53647A67CAFD08A3F6DC9BFE04688507FC614076D2ACCBE6C4F19479C18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036986Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:04.890{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000036985Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:04.172{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036988Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:07.862{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9367822CD52513B6DBE8A7515FC3F3,SHA256=FC2CDE467B55BF71D02E977F487BC1D54047D55641669BE375B18A2EB3CD4CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051222Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:05.629{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51192-false10.0.1.12-8000- 23542300x800000000000000051221Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:07.363{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC3212967C39CA03704AE7FDD997500,SHA256=1DA1C8F2D41C7824F54A9DA59BFF4FF788B06819C125C7DFAC24149F19A83166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036989Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:08.866{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A253BF53366E9F32A3243E9EC611D66,SHA256=6DB93F1B7687B987C133A978A49A37EEFCAAE3B9E008857AB774EECA84B1AEEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051225Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:08.732{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051224Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:08.732{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051223Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:08.012{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BAECABDFB91C07372BF3CBEA5E8493,SHA256=AC8B913A122D36D33283AEC541340711E49BE9C3837CA44A139F182F952B3EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036990Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:09.867{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7640D83EB9066F4DAB3B7185D808D116,SHA256=3D212F8EA6E2AAC2DBB73E37E658B7698D71862A28E5E0483B25DAA5878D8F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051226Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:09.047{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234FF12480CBA894F8F9534483B7CCE8,SHA256=6CC0F3B8D845F3FEFB136D005D34FCCBB9CF9ABCFCA93223D3BFB9A5180C044E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036991Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:10.867{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE62869F89CAB5D3D8B4E02DF208B326,SHA256=A5C76CAA80335A651243CC633AB5F4C89E409AA35BD6C92A1E56A970162AFE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051230Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:08.064{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-1527-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051229Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:10.678{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\aborted-session-pingMD5=CFD2C276AF29C2457B9CE7DE97EF798B,SHA256=D692B0CDFCB7FB88AE785C4C7E0532CE85EF52C6C3B90DBB4AEB34AE8D7189F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051228Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:10.678{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B135F2965341B1C23AB06BA8E3258CFE,SHA256=21C2D0E8AA9B6813C563A6AD4D3D39B827C5AFA882C2A558E38C1138BE7BD209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051227Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:10.063{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F23DADB7E69B68D5F8B18BAABD1A81,SHA256=9FDBE41B040EE41983E5141C6B51A0B93B1CF9380CBE6C984DE8FE8C7125AEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036992Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:11.882{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB58AD8916CB5CFD2FC0C450F55780E,SHA256=363768325EC6DFCFD5FE7D829795134F3EEC8487F9FCE76239F2D0F934779488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051231Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:11.078{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B62895938B54ED39108D10DC72D0A,SHA256=E8CB6F4B3D3F36EEFA40E85F9936E3D05B76983E460E41685E87951D6B550431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036994Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:12.898{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A539C36D79BE0A62E2F8ACA4CCA3A92,SHA256=50068D39C24D94EC26B77E7CDF5897704A071E9B07399A0A33EE454A7E121E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051233Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:12.293{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2143041EAACFAAEA6FD971F684853EC6,SHA256=8EE7A7D39EFE0E03C4B6A72F596655A9723FC5A55BE2020057F47DF0B9EC99D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051232Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:12.111{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348F82CFB670CE436212D7745456E6B1,SHA256=2F0EEA31AB77BC0E795055B4F0A39F32409B9E8EB56DF0011851DFE0CEA492D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036993Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:10.019{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037009Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.914{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D913D10643B7A575C13DB0BBC491B23,SHA256=910BFDC5266BEB8FEC9EBAC6DC0B92E0705D61A76771564A84D757459F4273AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051288Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:11.526{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51193-false10.0.1.12-8000- 10341000x800000000000000051287Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.794{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051286Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.794{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000051285Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:11:13.614{82A15F94-5ED1-6112-D508-00000000E501}1044\PSHost.132730674732499724.1044.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000051284Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.561{82A15F94-5ED1-6112-D508-00000000E501}1044ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3pxfdisn.mhc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051283Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.561{82A15F94-5ED1-6112-D508-00000000E501}1044ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_eovqqu4z.dgl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000051282Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.514{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_eovqqu4z.dgl.ps12021-08-10 11:11:13.514 10341000x800000000000000051281Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.492{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051280Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051279Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051278Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051277Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051276Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+139d2e|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051275Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051274Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}10445932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051273Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.461{82A15F94-5ED1-6112-D508-00000000E501}1044ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa51819.TMPMD5=A9E00EE160F5124D03A61A9F868DB4A1,SHA256=C61A3D0B23DB890BF567962783DFCB5F040B18ED8D284A279CB8362C5B73B6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051272Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.414{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051271Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.409{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051270Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.409{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051269Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.361{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051268Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.361{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051267Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.361{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051266Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.361{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051265Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.361{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051264Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.330{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051263Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.330{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051262Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.330{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051261Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.314{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051260Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.314{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051259Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.314{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051258Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.314{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051257Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.314{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051256Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.292{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051255Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.292{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051254Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.292{82A15F94-5ED1-6112-D608-00000000E501}46647044C:\Windows\system32\conhost.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051253Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.261{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5ED1-6112-D608-00000000E501}4664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051252Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051251Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051250Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051249Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051248Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051247Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.245{82A15F94-371C-6112-5301-00000000E501}7606544C:\Windows\Explorer.EXE{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000051246Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.249{82A15F94-5ED1-6112-D508-00000000E501}1044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 13241300x800000000000000051245Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:13.176{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e2) 13241300x800000000000000051244Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-SetValue2021-08-10 11:11:13.176{82A15F94-3494-6112-1500-00000000E501}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{cae4bc59-062b-4ccb-b968-27b0f5aa5d13}v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2330|Name=New RDP Port 2330| 10341000x800000000000000051243Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.176{82A15F94-3494-6112-1500-00000000E501}12363380C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D408-00000000E501}5656C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\fwbase.dll+1594|c:\windows\system32\fwbase.dll+13f6|c:\windows\system32\mpssvc.dll+dbc2|c:\windows\system32\mpssvc.dll+3014e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051242Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.114{82A15F94-3494-6112-1400-00000000E501}9686816C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051241Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.114{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C422CB896B86B84BAED0D5509D3F7AD,SHA256=0E551220198DF94A5753D0073E5898AF9489EE6EA5338229CDAF1ABBC0E6DC5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037008Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.757{82855F7C-5ED1-6112-3D07-00000000E601}40003956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037007Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED1-6112-3D07-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037006Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037005Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037004Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037003Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037002Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037001Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037000Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036999Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036998Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036997Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5ED1-6112-3D07-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000036996Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED1-6112-3D07-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000036995Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:13.539{82855F7C-5ED1-6112-3D07-00000000E601}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051240Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.092{82A15F94-3494-6112-1600-00000000E501}12881924C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D408-00000000E501}5656C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+a8874|C:\Windows\system32\wbem\wbemcore.dll+634f0|C:\Windows\system32\wbem\wbemcore.dll+f474|C:\Windows\system32\wbem\wbemcore.dll+b6f1e|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051239Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.076{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D408-00000000E501}5656C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051238Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.045{82A15F94-3491-6112-0500-00000000E501}4201700C:\Windows\system32\csrss.exe{82A15F94-5ED1-6112-D408-00000000E501}5656C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051237Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED1-6112-D408-00000000E501}5656C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051236Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051235Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.045{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051234Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.045{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000037038Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.976{82855F7C-3681-6112-1200-00000000E601}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AE2539E1404500C7785FA4E45FD51DE3,SHA256=A62518BC477E2FC3C26E41B195A2CF46B9B499421B5077B43F17CDA2707BED38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051292Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:14.194{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42F7B158C9D5277A7D5CF24CEF00B97,SHA256=FD672A9EA1C2A2A16743E61BDD49A8ACA378B779A66B9278749ADA5DA2F15CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037037Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8AAA0E53C55785533B142EF82E023C8,SHA256=B0A2FD19DA51DDFDED58B5AEC9C4A471F3CEAB7DE967D185C0488488FB561310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037036Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.743{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA40FCE0F467B33C17120093360B16C4,SHA256=CD0A64EB2AA2304BE9E5DF12BDF8A0F9FAF4FC27FDEA8B1950D373362882B6E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037035Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED2-6112-3F07-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037034Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037033Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037032Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037031Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037030Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037029Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037028Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037027Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037026Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037025Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5ED2-6112-3F07-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037024Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED2-6112-3F07-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037023Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.711{82855F7C-5ED2-6112-3F07-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037022Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED2-6112-3E07-00000000E601}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037021Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037020Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037019Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037018Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037017Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037016Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037015Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037014Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037013Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037012Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5ED2-6112-3E07-00000000E601}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037011Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.039{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED2-6112-3E07-00000000E601}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037010Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:14.040{82855F7C-5ED2-6112-3E07-00000000E601}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051291Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:14.065{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=56889DAB7C27C94499F020C4ACC2DDA2,SHA256=764081906B60A4AFE70C4661A35C13485F8A5CF1817527A9780C44E0486E5ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051290Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:14.048{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0AAA6CC8347BE214E81A5DAF187E899,SHA256=A69CD6635E20D6519D8A839622ADF88FB8882BCAF0D1AB6ECEFEB186E0A15F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051289Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:14.033{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BB728E517C22A0E943CFAD96BF6917C,SHA256=408E0C653A6505832F87150E1E7D01436ADD00437273CBB85ED8C2F0F034B4E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037052Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED3-6112-4007-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037051Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3680-6112-0500-00000000E601}396412C:\Windows\system32\csrss.exe{82855F7C-5ED3-6112-4007-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037050Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037049Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037048Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037047Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037046Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037045Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037044Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037043Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037042Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037041Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.945{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED3-6112-4007-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037040Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.946{82855F7C-5ED3-6112-4007-00000000E601}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037039Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:15.257{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358CA21FFD2BC702B2CD8F9AA579A431,SHA256=E683B57209904827A333B50AE86EF2AA7F81AF1EAA2BEA40FC171F126232396C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051294Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:15.239{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0768AB053FC5C7EFABE6738AB22D7121,SHA256=772AF2D111EB3B7C06017AF8DE380026E9F5BCBF9128BC676BCEB52D69E5C210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051293Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:15.077{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F1915CAFC194083DB94D8217FD5E032,SHA256=DFDBD21EDC68C41D6FDD543A0FCFB27D313E382D0B56000B2697BBB896698772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037068Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.632{82855F7C-5ED4-6112-4107-00000000E601}12321724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037067Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED4-6112-4107-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037066Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037065Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037064Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037063Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037062Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037061Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037060Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037059Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037058Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037057Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5ED4-6112-4107-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037056Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.445{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED4-6112-4107-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037055Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.446{82855F7C-5ED4-6112-4107-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037054Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.179{82855F7C-5ED3-6112-4007-00000000E601}24521104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000037053Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.007{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C45B6AD1DC7BFA314976A63220C7ED,SHA256=07D99D9D0FADCFB6A22850673C43360C59BEB2F0E6D8E186BFBF60202BC23EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051297Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:16.975{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FC2CEFA60E4E4733BCE43B22673E06,SHA256=AD3A38319A23B2C325BDDD77D409788DBBA4256CC2235A0C49F18F5BC7109564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051296Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:16.257{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422EE3B01749EE39BDA24F39014D6F01,SHA256=152368BB30F9BEAEF45F2A996C136FA44138A944FFE6415C16650696B324F26F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051295Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:13.363{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-11501-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 10341000x800000000000000051304Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.506{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051303Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.506{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051302Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.506{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051301Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.506{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051300Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.506{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051299Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.491{82A15F94-5ED1-6112-D508-00000000E501}1044ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=8E3EE47A67D30CC4A9430029886AFCF7,SHA256=E9739373DA06FC34985BE1851F15B5C112283DF73ECBAE1114645A7A1212DFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051298Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.259{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DA02340FC5763F97838C938754237A,SHA256=807A5018EA75F1C0F1B5DAAA774C05EE1B81C5EE4739C3C89E982167E0B59EF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037101Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.945{82855F7C-5ED5-6112-4307-00000000E601}36441712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037100Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED5-6112-4307-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037099Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037098Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037097Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037096Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037095Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037094Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037093Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037092Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037091Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037090Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-3680-6112-0500-00000000E601}396984C:\Windows\system32\csrss.exe{82855F7C-5ED5-6112-4307-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037089Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED5-6112-4307-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037088Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.789{82855F7C-5ED5-6112-4307-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037087Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:16.020{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51790-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037086Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.180{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8AAA0E53C55785533B142EF82E023C8,SHA256=B0A2FD19DA51DDFDED58B5AEC9C4A471F3CEAB7DE967D185C0488488FB561310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037085Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C00D123266BDEB1C56A422CDCC29C5E,SHA256=7C11D20ED63469615F51C027BA6CCA46B20950E9F535E6F296B8DB0341DB53AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037084Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-36F1-6112-9C00-00000000E601}40083632C:\Windows\system32\conhost.exe{82855F7C-5ED5-6112-4207-00000000E601}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037083Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037082Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037081Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037080Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037079Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037078Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037077Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037076Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037075Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1F00-00000000E601}2044C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037074Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-3680-6112-0500-00000000E601}396512C:\Windows\system32\csrss.exe{82855F7C-5ED5-6112-4207-00000000E601}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000037073Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.117{82855F7C-36F1-6112-9800-00000000E601}39123768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{82855F7C-5ED5-6112-4207-00000000E601}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000037072Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.118{82855F7C-5ED5-6112-4207-00000000E601}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{82855F7C-3680-6112-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{82855F7C-36F1-6112-9800-00000000E601}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037071Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.101{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037070Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.101{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037069Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:17.101{82855F7C-3681-6112-0C00-00000000E601}7122680C:\Windows\system32\svchost.exe{82855F7C-3681-6112-1500-00000000E601}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051310Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:18.756{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051309Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:18.708{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x800000000000000051308Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:18.708{82A15F94-3D89-6112-C804-00000000E501}64606380C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8C-6112-CD04-00000000E501}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+a1c74f|C:\Program Files\Mozilla Firefox\xul.dll+240e608|C:\Program Files\Mozilla Firefox\xul.dll+22cf131|C:\Program Files\Mozilla Firefox\xul.dll+22cb14a|C:\Program Files\Mozilla Firefox\xul.dll+2efb550|C:\Program Files\Mozilla Firefox\xul.dll+2f150da|C:\Program Files\Mozilla Firefox\xul.dll+2ef4929|C:\Program Files\Mozilla Firefox\xul.dll+2ef4645|C:\Program Files\Mozilla Firefox\xul.dll+2ef81eb|C:\Program Files\Mozilla Firefox\xul.dll+2f102bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1c528|C:\Program Files\Mozilla Firefox\xul.dll+2f1b924|C:\Program Files\Mozilla Firefox\xul.dll+2eff0f0|C:\Program Files\Mozilla Firefox\xul.dll+166a881|C:\Program Files\Mozilla Firefox\xul.dll+166937a|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+8dd9e7|C:\Program Files\Mozilla Firefox\nss3.dll+754ed|C:\Program Files\Mozilla Firefox\nss3.dll+8d281|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x800000000000000051307Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-ConnectPipe2021-08-10 11:11:18.708{82A15F94-3D89-6112-C804-00000000E501}6460\chrome.6248.73.113112889C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000051306Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-CreatePipe2021-08-10 11:11:18.708{82A15F94-3D8C-6112-CD04-00000000E501}6248\chrome.6248.73.113112889C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000051305Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:18.275{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3533A97AE8871D8C87940C1298963F26,SHA256=D83252E4476E3391D42DB34C227C4274840D0CE0DCC12C3ED0AAB02D0BEB9805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037103Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:18.836{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=916B02F3D0B1AC75C12D9D5D084931CE,SHA256=28E89EB965F0F9F3D0F4ABEB120B9D689C310EA5B4F31DC89D394335E4EE516C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037102Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:18.211{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0669946628ADF09548670D64CC6894,SHA256=1826BA0729F8B4DDF6F95CC172F3E828D8634A96B9045996CC727A9B3D3B64DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037104Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:19.273{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9325144DB75B5EBE0BA3CFFC68C8E92,SHA256=306DB5D13DA68FE83B84F7CFD8F0EEE87116DFE77242F846F579495F6EBCEDA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051448Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051447Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051446Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051445Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051444Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee176e|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051443Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee1747|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051442Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee171c|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051441Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051440Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051439Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee176e|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051438Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee1747|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051437Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.961{82A15F94-3D89-6112-C804-00000000E501}64605824C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1befe1|C:\Program Files\Mozilla Firefox\xul.dll+ee171c|C:\Program Files\Mozilla Firefox\xul.dll+295ce2|C:\Program Files\Mozilla Firefox\xul.dll+294fef|C:\Program Files\Mozilla Firefox\xul.dll+294dda|C:\Program Files\Mozilla Firefox\xul.dll+efa627|C:\Program Files\Mozilla Firefox\xul.dll+18bc1eb|C:\Program Files\Mozilla Firefox\xul.dll+1acb407|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acc0fe|C:\Program Files\Mozilla Firefox\xul.dll+1acda80|C:\Program Files\Mozilla Firefox\xul.dll+177666f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1fba|C:\Program Files\Mozilla Firefox\xul.dll+f21e26|C:\Program Files\Mozilla Firefox\xul.dll+19c1ff5|C:\Program Files\Mozilla Firefox\xul.dll+1669d74|C:\Program Files\Mozilla Firefox\xul.dll+19e529e|C:\Program Files\Mozilla Firefox\xul.dll+a1516f|C:\Program Files\Mozilla Firefox\xul.dll+26c7e|C:\Program Files\Mozilla Firefox\xul.dll+1a3c08|C:\Program Files\Mozilla Firefox\xul.dll+1a2a9f 10341000x800000000000000051436Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.938{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051435Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.938{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051434Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.938{82A15F94-3D89-6112-C804-00000000E501}64606196C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051433Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.938{82A15F94-3D89-6112-C804-00000000E501}64601032C:\Program Files\Mozilla Firefox\firefox.exe{82A15F94-3D8B-6112-C904-00000000E501}7112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38090|C:\Program Files\Mozilla Firefox\firefox.exe+37f86|C:\Program Files\Mozilla Firefox\firefox.exe+494f0|C:\Program Files\Mozilla Firefox\firefox.exe+491ec|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051432Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-371C-6112-5301-00000000E501}7606096C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051431Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-371C-6112-5301-00000000E501}7605248C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051430Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-371C-6112-5301-00000000E501}7606096C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051429Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-371C-6112-5301-00000000E501}7605248C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051428Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051427Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051426Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051425Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2B00-00000000E501}2912C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051424Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.923{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051423Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051422Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051421Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7606704C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051420Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7606704C:\Windows\Explorer.EXE{82A15F94-372A-6112-7A01-00000000E501}5788C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051419Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7605248C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051418Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7605248C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051417Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7606096C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051416Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.907{82A15F94-371C-6112-5301-00000000E501}7606096C:\Windows\Explorer.EXE{82A15F94-3729-6112-7901-00000000E501}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051415Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.891{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051414Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.891{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051413Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.891{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051412Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.891{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051411Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.860{82A15F94-5ED7-6112-DD08-00000000E501}53366012C:\Windows\system32\LogonUI.exe{82A15F94-3719-6112-4201-00000000E501}5000C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051410Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.822{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051409Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.822{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051408Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051407Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051406Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051405Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051404Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051403Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3719-6112-4201-00000000E501}50005252C:\Windows\system32\winlogon.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+e50a|C:\Windows\system32\winlogon.exe+c62f|C:\Windows\system32\winlogon.exe+3154|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051402Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.818{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a36055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{82A15F94-3719-6112-4201-00000000E501}5000C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000051401Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DC08-00000000E501}4168C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051400Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.807{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DC08-00000000E501}4168C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051399Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-3719-6112-4101-00000000E501}51046344C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-DC08-00000000E501}4168C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051398Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051397Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051396Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051395Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051394Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.775{82A15F94-5ED7-6112-D708-00000000E501}19926464C:\Windows\system32\cmd.exe{82A15F94-5ED7-6112-DC08-00000000E501}4168C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051393Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.787{82A15F94-5ED7-6112-DC08-00000000E501}4168C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXERunDll32.exe user32.dll,LockWorkStationC:\Temp\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x800000000000000051392Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1AB293798880BD11C921040330C36FCD,SHA256=B8643ED675E7777CA9DDD235FB724F2DCE76C2AFCC412D4AD43FB23CCBD92D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051391Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.760{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51582F974CB13620887E1773234E32B6,SHA256=21803F382E5E1925E568682354C5D3ABEF0E478D1123BCABE7A381572707A0F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051390Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.738{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051389Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.723{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051388Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.723{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051387Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051386Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051385Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051384Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051383Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051382Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-5ED7-6112-D708-00000000E501}19926464C:\Windows\system32\cmd.exe{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051381Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.683{82A15F94-5ED7-6112-DB08-00000000E501}3532C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress C:\Temp\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 23542300x800000000000000051380Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4C1B4D0D91A6F6EF57C589C6B79BFB18,SHA256=0753710124646F932A748678C433F4BF3F19338865EA595E9665B7D796BAC593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051379Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC447D376ECB80096CEEDD4B2CC82924,SHA256=55B1C363FDD141E1B99CA4225269A4E9D1D0A490C094812824523EA82C64BD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051378Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.676{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A22D85A553400CD9CA23AB80280247C1,SHA256=3F3F425BB427D5049C9C31FF5509167184A8491AF6861B8E524FA9F9A2BF65B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051377Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051376Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051375Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051374Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051373Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051372Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051371Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.660{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051370Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.638{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051369Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.638{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051368Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.623{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051367Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.623{82A15F94-3491-6112-0A00-00000000E501}6244812C:\Windows\system32\services.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051366Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051365Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051364Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051363Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051362Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051361Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3491-6112-0A00-00000000E501}6241068C:\Windows\system32\services.exe{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051360Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.587{82A15F94-5ED7-6112-DA08-00000000E501}3244C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{82A15F94-3491-6112-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{82A15F94-3491-6112-0A00-00000000E501}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000051359Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-3491-6112-0A00-00000000E501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051358Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051357Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051356Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3491-6112-0B00-00000000E501}632796C:\Windows\system32\lsass.exe{82A15F94-3491-6112-0A00-00000000E501}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051355Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.576{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051354Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.560{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051353Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.558{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051352Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.558{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051351Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.555{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051350Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.555{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051349Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.555{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051348Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.555{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051347Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.539{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051346Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.539{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051345Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-3719-6112-4101-00000000E501}51043668C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051344Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051343Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051342Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051341Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051340Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.461{82A15F94-5ED7-6112-D708-00000000E501}19926464C:\Windows\system32\cmd.exe{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051339Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.464{82A15F94-5ED7-6112-D908-00000000E501}4640C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMsiExec.exe /X{FED1005D-CBC8-45D5-A288-FFC7BB304121} /qn REBOOT=SUPPRESS /PASSIVEC:\Temp\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" " 10341000x800000000000000051338Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.438{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051337Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.438{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051336Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.438{82A15F94-371C-6112-5301-00000000E501}7602540C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051335Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.438{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051334Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.423{82A15F94-371C-6112-4D01-00000000E501}32041308C:\Windows\system32\taskhostw.exe{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051333Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051332Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051331Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051330Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7606116C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051329Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051328Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051327Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051326Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.407{82A15F94-371C-6112-5301-00000000E501}7605476C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051325Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.391{82A15F94-3494-6112-1600-00000000E501}12881260C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051324Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.391{82A15F94-3494-6112-1600-00000000E501}12881336C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051323Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.391{82A15F94-5ED7-6112-D808-00000000E501}35764120C:\Windows\system32\conhost.exe{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051322Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-D808-00000000E501}3576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000051321Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.localInvDBSetValue2021-08-10 11:11:19.376{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-2413384075-1693603943-3559489279-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\1.batBinary Data 10341000x800000000000000051320Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-1200-00000000E501}6203516C:\Windows\System32\svchost.exe{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051319Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-1200-00000000E501}6203516C:\Windows\System32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051318Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051317Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051316Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051315Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3719-6112-4101-00000000E501}51045012C:\Windows\system32\csrss.exe{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051314Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051313Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.376{82A15F94-371C-6112-5301-00000000E501}7607104C:\Windows\Explorer.EXE{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000051312Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.372{82A15F94-5ED7-6112-D708-00000000E501}1992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\1.bat" "C:\Temp\ATTACKRANGE\Administrator{82A15F94-371B-6112-6303-0E0000000000}0xe03632HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000051311Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:19.297{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FB2B7C1A965736DA58277BAD922F65,SHA256=797C7D12A8B23B9B40C5DD3FEAE0AAB60367D6ADF3BA2114722607AD61E5A422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037105Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:20.273{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D18B3CE637AA4DE79BF8D13CE070A78,SHA256=DE8EC3506B8B770DBA893BA1962852980433D0009AC60141F8F3644B3F880F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051498Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051497Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051496Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051495Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051494Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051493Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051492Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051491Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051490Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051489Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051488Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.510{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051487Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0659B7C63B819663672A9542A827306F,SHA256=4985D64774521B2D6B76192B355E4BED7289F66C7781C07D75FEFB2575D48FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051486Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.394{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B9B8AFED00EA893F9D2A0FD1F02E1C6,SHA256=3A06B102949B7BFA7F688965CD350338FEFE4D9DC2466176057630E9AE9BBF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051485Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.378{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1B1A4BD6F832720625BCD79C2FB75E3,SHA256=EC64719EA5ED10DBD964C0D8972A0822A91C2F7ED8C8BAF49FDD97EAC2B153C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051484Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFEEAF892EE0F0FDBAB9C110EC03AD8,SHA256=A64B8734D88BFEF1A03874240EBC589A6C1E7F70B82A64139DFA0A44CE3C5FE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051483Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051482Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051481Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051480Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8404940C:\Windows\system32\svchost.exe{82A15F94-34A4-6112-2D00-00000000E501}2920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051479Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3493-6112-1200-00000000E501}620C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051478Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051477Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-1000-00000000E501}3801692C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051476Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051475Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051474Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-1000-00000000E501}3801692C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051473Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051472Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051471Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1400-00000000E501}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051470Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.309{82A15F94-3493-6112-1000-00000000E501}3801692C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051469Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051468Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051467Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051466Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051465Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051464Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3D89-6112-C804-00000000E501}6460C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051463Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051462Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}840340C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051461Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-3DE5-6112-D804-00000000E501}5632C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051460Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-371B-6112-4801-00000000E501}4760C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051459Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8403248C:\Windows\system32\svchost.exe{82A15F94-371C-6112-5301-00000000E501}760C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051458Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED7-6112-DD08-00000000E501}5336C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051457Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3719-6112-4201-00000000E501}5000C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+115a|c:\windows\system32\SYSNTFY.dll+1247|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051456Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.293{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-3494-6112-1600-00000000E501}1288C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051455Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.240{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-371A-6112-4401-00000000E501}3352C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051454Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.240{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-371A-6112-4401-00000000E501}3352C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051453Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.040{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB51A4E68E8C082D37FC73F894E6D723,SHA256=B7D20439B5B32CCE71C5D531E5F85299D239105E4ACF9CB0C84AD84FFBB5B86F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051452Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.024{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED8-6112-DF08-00000000E501}6468C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051451Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.008{82A15F94-3491-6112-0500-00000000E501}420436C:\Windows\system32\csrss.exe{82A15F94-5ED8-6112-DF08-00000000E501}6468C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000051450Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.008{82A15F94-3493-6112-0C00-00000000E501}8405188C:\Windows\system32\svchost.exe{82A15F94-5ED8-6112-DF08-00000000E501}6468C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000051449Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:20.008{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627604E0F38ABC123160B42043EDFD97,SHA256=4537113EF2F6D6A6E8D17FEEBA664012850B200EDE6113228A2432293612F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037106Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:21.289{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7227CDA90AB0D8E96E6FB44AE743CA,SHA256=0D3DBA78ADA99C3238DDD49EFA0CB6377E50968515442EFFE20A1DEC2645DA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051502Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:21.527{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C1B88C9014B1DEA95870ADD8A7A85D,SHA256=4E675EDB5077F8D56828F088CCE7A44C4318FB0D561FAA7C9374CA453CDB8399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051501Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:21.527{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B9B8AFED00EA893F9D2A0FD1F02E1C6,SHA256=3A06B102949B7BFA7F688965CD350338FEFE4D9DC2466176057630E9AE9BBF8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051500Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:18.648{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-21469-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000051499Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:17.524{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51194-false10.0.1.12-8000- 23542300x800000000000000051504Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:22.536{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E539CE2D07E05338CB2A5B7098BCD183,SHA256=4BDA28430471D7093D0E5B6C2E78D1306E62E7646F65938FF442F81AC87DF006,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037117Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000037116Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009dac42) 13241300x800000000000000037115Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dd0-0x11c2a688) 13241300x800000000000000037114Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd8-0x73870e88) 13241300x800000000000000037113Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0xd54b7688) 13241300x800000000000000037112Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000037111Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009dac42) 13241300x800000000000000037110Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d78dd0-0x11c2a688) 13241300x800000000000000037109Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d78dd8-0x73870e88) 13241300x800000000000000037108Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:22.773{82855F7C-3680-6112-0B00-00000000E601}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78de0-0xd54b7688) 23542300x800000000000000037107Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:22.289{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E077D3B83209B76DFA1951454763055E,SHA256=81228563EB00CD075E85C6737BB4F861BD50920E4412C567EAF90A28550EDEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051503Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:22.304{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D70825BE3558692C820F4B911AAEFDD,SHA256=482257D244E1C98BA7F5ACD8057F2A3057A1C480AEB3682C196EAFCAE03D14D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051505Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:23.543{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A54B994FA65CA9C146EC4419CB97D7,SHA256=AE1811D28B44EB5AC5FD3B93A091ACC58C295F27AE6580042FEC2EFA151B5D27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037119Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:21.769{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037118Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:23.304{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D7A36BA9CDD25E13E6B1211A25CBAC,SHA256=8C9ABD3109D2E8ED97268C890E10C621154843C8F5B71A7B7A882913ED24D225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051506Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:24.558{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0EE1ACD2C48D0E612378D26AAF90E1,SHA256=956BD777CADE202166B155538952C5AC835467A907F7EDE59836A3E0FA768547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037120Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:24.320{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2380049BCB7AC325FD73BA0A5676BF96,SHA256=F6D8FA60C4CEE7A38B70C787BE0D9BD67BDA1D8A2478457096E1F26FC025D67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051509Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:25.589{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6ED9FE0852F7E6EC211BE2ECF9015C2,SHA256=DBC130A7FAA456BD307C6DCDF17033B0E6326F674C86A67EBFF052E4BF2F14C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037121Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:25.336{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B279B4EE117326AC7DF0CBCF210B243F,SHA256=FD16ABBF9ACF6087B69636E463F99F88260A43CD9FDDF6A48C81E8DCB2F81C7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051508Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:22.677{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51195-false10.0.1.12-8000- 354300x800000000000000051507Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:21.808{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-25447-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051517Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.625{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE59E752AF4F1237757A4FE39CF76E72,SHA256=55873C8E649CD5FB126EC3FFC1BAFEC4FC477002ACD6C4D36BD8D3672793AD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037122Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:26.367{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84324552C3161B6601A2ABE68D76CF00,SHA256=E01A805440E111E30A96DDEB94F94E2AD7CB38AC9F9D4F8C456D0E22256FCA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051516Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=E3EE16C4D4F1102A4047B6D157639266,SHA256=08014C7945F3E60F1C34B296BDA85C684854782D7FA3F2C2A0D2FFC3737C7113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051515Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=C740F44CE6AC0A7FC92FD0903DD41790,SHA256=9A8B657FCC43D49E142C9156BB1B7CF4A6F21384124E05B10935DE4F18E8470A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051514Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=800D6597C56C872B70C5BCEC6BE9C3CD,SHA256=BD20E8F68ED3FB46EA74674823F7D3A45E314B3CDE7DE47FBB7FBC761B48CF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051513Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=F148D6A5F079CC4FD4F5F67D3E2F3CE9,SHA256=1436BC236DC896285B18986D66C6BA01F60933E67E12FE912D9EB0B40DCEF68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051512Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.325{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=4D69A7C3B7BA2CC9754A940F3BBA2609,SHA256=CDDFEAD7AE8D29F5A39221813E117F46EFF321EFE1C053A831466BEE3CDF2953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051511Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.322{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=30B6DC883DAA2CD3BC1D638F356671B6,SHA256=0A5A0F4BDF19F425B1102A55CA082BFAD27224C4BDDF25FADE566F36C7513C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051510Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:26.321{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\datareporting\glean\db\data.safe.binMD5=81A39AB244BFEF44BCF73AAB1FEE8787,SHA256=E33F0B84E3D4C848B20CC3F51C252048A0A3CB773F5C02FBA93F75B78F490997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051518Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:27.673{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52847926ED84C4928239518622FDE021,SHA256=25127A864AA04C4BBCEE8BD0BFD7BBDFA1ABA5E5EE86F3DB12293715664301B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037123Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:27.398{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3374E6EC9A27CBD07AC60F3F3565023F,SHA256=E1F981518FD3B324CFD100D660DAD928BE34877A264308F57D0D14C65B6249B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051521Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:28.723{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C313955EDFFE5C3DD4D8F86E7A09882,SHA256=01454691111436D7AF9520A8590D4B6CDD0BF7A491A42B07AA760DC9888330F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037124Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:28.414{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0393FA32E6B3F0484CBA7BB2B9130F73,SHA256=F55A4FCE5368E13E946EE8E5C8B44EB1CFEA25411F57C606BE7B14B977C6CBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051520Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:28.225{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B3C1F16C6D0B4B9E7ADE06F6BE4F277,SHA256=C4ED32528A9DD7F49ED0AE2C53C3409842898BA464D449A4E96FC73F3E553220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051519Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:28.224{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=285E19F79E8A2F0CAE12868BC3792903,SHA256=1B1E5AB24A5C579036956CBE7C254FB2CE409F894D0B1E290911F24EE918419B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051522Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:29.773{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEC4D3186C1939685B74FED5A684419,SHA256=46FB2F181CADB6588FCDFC04FD0D2B50A6FA4FB341AAA53DE16BD6643A0C4EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037126Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:29.507{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764F05F28BE2275A17296FDDA7C91C13,SHA256=40B82613ACE6FB7E88B869C532D8245CD9C839CA42B73C3D62DF93C55A1E21F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037125Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:26.988{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037127Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:30.541{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B1A7A93CBF4111684A40C8BE13C5B2,SHA256=D677D0DA081218E1CC2E854404B4E62C0FCD72E37CF2C184DB56EB1FCBA09D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051525Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:30.788{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794D645624C15A1E8C4366042CADD553,SHA256=3BEF49AC708475E90D25349BB0788C45E08C0B88B016C09C29EB77CD13C305F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051524Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:30.788{82A15F94-3D89-6112-C804-00000000E501}6460ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vqb9vyz9.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051523Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:27.712{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-35022-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 23542300x800000000000000051528Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:31.803{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77344726DCF601DD758D3C3A93443759,SHA256=09882F5552ECDB05BEB44154F1A8D6859351CD996C02A556087E9CF043F10D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037128Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:31.555{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBD849563910C15CC77FCB58822D4F2,SHA256=A6FE81D0EF34700FDE5B16BBD0DB3BD78DD1F0616D72B5BD6B85416D489D829A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051527Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:31.273{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B3C1F16C6D0B4B9E7ADE06F6BE4F277,SHA256=C4ED32528A9DD7F49ED0AE2C53C3409842898BA464D449A4E96FC73F3E553220,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051526Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:28.575{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51196-false10.0.1.12-8000- 23542300x800000000000000051529Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:32.821{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DE32F1D3F9BD1F06AC4340324D8C9,SHA256=4574FFF37942E456D5834A8988C8D6B474809B97FC9838A34ADB607A63BC10FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037129Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:32.570{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F627892613AE73D4E213FA09D4176F,SHA256=5908BC760138F5B66416F2886407598D1EB89BFFC3A744AB29C63458D2A3BB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051531Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:33.840{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A54A7661C532DC891F2350C415AF67,SHA256=0D472B2DE2355BA3E8819D5AB3AC244A4A54D4E5DF3C32182E98E1D751D69990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037130Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:33.617{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFCDBCCF15DF80F76663D568CB65DD4,SHA256=93099C443C95F72E9A0D757804AB2D13720B375287DBF08A7FB841310E3AA640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051530Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:33.223{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4539E88D5786F4E0DB05B19D9A15CED,SHA256=FC2F5116760D10249BBCA3080C7E62E2D0DA0B3607D67B77EFEF1C262DB3E0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051535Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:34.841{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1274E5B0E1A5A9B8032F58EADEFC14F1,SHA256=420E77838C2B34AE25073D6068B377C2843E8D8825066BFF16248ACEFCEEE9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037131Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:34.649{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6E8480CEB740B3E563FB2F2087FD6D,SHA256=3EA1D39C1FA40D03316D1AB5E695D62F0BCB4D361B406C47046FFD7432E53168,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051534Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:31.637{82A15F94-3491-6112-0B00-00000000E501}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51197-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 354300x800000000000000051533Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:31.637{82A15F94-34A4-6112-2600-00000000E501}2852C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-15.attackrange.local51197-true0:0:0:0:0:0:0:1win-dc-15.attackrange.local389ldap 23542300x800000000000000051532Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:34.103{82A15F94-353A-6112-B100-00000000E501}3808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2ADC5C3504B3C61C2CF52343BC9CBCEA,SHA256=DCE76430D502254FA177C54C66CE91E13AF1880F391810050FAE02682F8CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051538Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:35.856{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6D8A9A40913DBE6FA3101C172C6FF2,SHA256=5C0DED832634414C8CE663CC53B9C124E6B374C967CA859BBF90BE5DA5E13D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037133Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:35.680{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBDE79F44FFA39B2B3A3FD690517323,SHA256=E393CB8F00132178CA46E5F14BD4BF8B16896ACAF32488AE3B6E119BEF08D7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051537Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:33.520{82A15F94-353A-6112-B100-00000000E501}3808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51198-false10.0.1.12-8089- 354300x800000000000000051536Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:33.409{82A15F94-3493-6112-0F00-00000000E501}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse176.111.173.99-45284-false10.0.1.14win-dc-15.attackrange.local3389ms-wbt-server 354300x800000000000000037132Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:32.957{82855F7C-36F9-6112-C600-00000000E601}3984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-456.attackrange.local51793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000051539Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:36.857{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2493F536CC0D7BE43B035EF66381E4A8,SHA256=87D04A960700D4AEE7AB385874ADA4DBA060C356EDC1777DFCAE22032F0B65C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037134Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:36.711{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C2BEDF7307C6A35451856132413C6,SHA256=5BAD037DC76450F992D9FA7AF4BA87DF416B738FC103BFCFD48DFACF5D0946AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051542Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:37.871{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF0DA3C1FC7224D5A2999D19C9A8F52,SHA256=AEDF985E8968B0D2F0A6C8C6137060A1E6A4A790C427F3B37CDC93B669443B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037135Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:37.758{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF22E82E6B6C44F4678716F59113A8F,SHA256=1CD0AEBF649128B77D6D8A25DD2C811958BB8B5CB99068447CA7A73E7F944106,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051541Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:34.521{82A15F94-3542-6112-DF00-00000000E501}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-15.attackrange.local51199-false10.0.1.12-8000- 23542300x800000000000000051540Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:37.072{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29F7A86922122EBEEF8FC58E8493F43,SHA256=348225A84786B943677CBC39983BA6D0A6AB6C9F8285E6F3E4BDCDE98FECBD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051543Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:38.886{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29767F56673C7581A3DD91D5ED1029C4,SHA256=2A44FE971D0CEED44627482805FAC0E97878EAF74538BEED1CFADA62C126C3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037136Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:38.774{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180D89F7C4DAE78C8DFC2F7436C08B4B,SHA256=8D1B59A44A3ED7B92D1860EE847CABC4115CDB1CD83E8AA48B1A80309B234B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037137Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-2021-08-10 11:11:39.805{82855F7C-36FE-6112-D600-00000000E601}640NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347666B48B5ED68C1EE5E20E618CDF44,SHA256=18B7E57093F933FB480E2C94C683E3E9A148DDFB39B60180A3C5084794F8E310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051544Microsoft-Windows-Sysmon/Operationalwin-dc-15.attackrange.local-2021-08-10 11:11:39.918{82A15F94-3547-6112-E800-00000000E501}296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD35CDB2F2C4F6E0DA8E0B62EEB0349,SHA256=6D4DDF9627290D4ECA1FA8F0B55C8DD8DC38A988E53A02DAD9E9322CA71FE8EA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037138Microsoft-Windows-Sysmon/Operationalwin-host-456.attackrange.local-SetValue2021-08-10 11:11:40.055{82855F7C-3681-6112-1000-00000000E601}944C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78dd8-0x7e34b842)